Professional Documents
Culture Documents
Cisco IOS VPN Configuration Guide: Corporate Headquarters
Cisco IOS VPN Configuration Guide: Corporate Headquarters
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,
and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet
Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise,
the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX,
Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0502R)
Preface ix
Purpose ix
Audience x
Organization x
Related Documentation xi
Conventions 1-1
Getting Help 1 - 2
Finding Command Options 1-3
Assumptions 2-2
Scenario Descriptions 3 - 2
Site-to-Site Scenario 3 - 2
Extranet Scenario 3 - 4
Step 1—Configuring the Tunnel 3 - 6
Configuring a GRE Tunnel 3 - 7
Configuring the Tunnel Interface, Source, and Destination 3 - 8
Verifying the Tunnel Interface, Source, and Destination 3 - 9
Configuring an IPSec Tunnel 3 - 9
Step 2—Configuring Network Address Translation 3 - 10
Configuring Static Inside Source Address Translation 3 - 13
Verifying Static Inside Source Address Translation 3 - 13
Step 3—Configuring Encryption and IPSec 3 - 14
Configuring a Cisco IOS VPN Gateway for Use with Cisco Secure VPN Client Software 4-3
Configuring a Cisco IOS VPN Gateway for Use with Microsoft Dial-Up Networking 4-3
Configuring PPTP/MPPE 4 - 4
Configuring a Virtual Template for Dial-In Sessions 4 - 5
Configuring PPTP 4 - 5
Configuring MPPE 4 - 6
Verifying PPTP/MPPE 4 - 6
Configuring L2TP/IPSec 4 - 6
Configuring a Virtual Template for Dial-In Sessions 4 - 6
Configuring L2TP 4 - 7
Verifying L2TP 4 - 7
Configuring Encryption and IPSec 4 - 7
Configuring Cisco IOS Firewall Authentication Proxy 4 - 8
Configuring Authentication, Authorization, and Accounting 4-8
Configuring the HTTP Server 4 - 9
Configuring the Authentication Proxy 4 - 10
Verifying the Authentication Proxy 4 - 11
Comprehensive Configuration Examples 4 - 11
PPTP/MPPE Configuration 4 - 11
L2TP/IPSec Configuration 4 - 13
Related Documents 5 - 15
INDEX
This preface describes the purpose, objectives, audience, organization, and conventions of the Cisco IOS
VPN Configuration Guide and includes the following sections:
• Purpose, page ix
• Audience, page x
• Obtaining Documentation, page xii
• Organization, page x
• Related Documentation, page xi
• Related Documentation, page xi
• Obtaining Documentation, page xii
• Documentation Feedback, page xiii
• Cisco Product Security Overview, page xiii
• Obtaining Technical Assistance, page xiv
• Obtaining Additional Publications and Information, page xvi
Note In this Guide, the term ‘Cisco 7200 series router’ implies that an Integrated Service Adaptor (ISA) or a
VAM (VAM, VAM2, or VAM2+) is installed in the Cisco 7200 series router.
Purpose
This software configuration guide explains the basic considerations and tasks necessary to configure
IP-based, multiservice site-to-site, and remote access Virtual Private Networks (VPNs) on your Cisco
7200 series router. VPNs integrate security and quality of service (QoS) through network technologies
such as Generic Routing Encapsulation (GRE) and IP Security Protocol (IPSec) tunneling, and
high-speed encryption to ensure private transactions over public data networks. This guide does not
cover every available feature; it is not intended to be a comprehensive VPN configuration guide. Instead,
this guide simply explains the basic tasks necessary to configure site-to-site and remote access VPNs on
your Cisco 7200 series router.
Note For detailed information on configuring client-initiated and network access server
(NAS)-initiated access VPNs using the L2F tunneling protocol, refer to the Access VPN
Solutions Using Tunneling Technology publication. If you are a registered Cisco user, you
can access the Access VPNs and IP Security Protocol Tunneling Technology publication.
The intranet, extranet, and remote access business scenarios introduced in this guide include specific
tasks and configuration examples. The examples are the recommended methods for configuring the
specified tasks. Although they are typically the easiest or the most straightforward method, they are not
the only methods of configuring the tasks. If you know of another configuration method not presented
in this guide, you can use it.
The network design considerations discussed in this guide are comprised of known factors that hinder
or optimize network performance. The considerations are not solid rules, but rather suggestions and
discussions that might be helpful in designing your VPN.
Note Use this guide after you install, power up, and initially configure your Cisco 7200 series
router for network connectivity. Refer to the Installation and Configuration Guide at
http://www.cisco.com/en/US/products/hw/routers/ps341/tsd_products_support_series_ho
me.html for instructions on how to install, power up, and initially configure your Cisco
7200 series router.
Audience
This software configuration guide is intended primarily for the following audiences:
• System administrators who are responsible for installing and configuring internetworking
equipment, who are familiar with the fundamentals of Cisco 7200 series router-based
internetworking, and who are familiar with Cisco IOS software and Cisco products
• System administrators who are familiar with the fundamentals of Cisco 7200 series router-based
internetworking and who are responsible for installing and configuring internetworking equipment,
but who might not be familiar with the specifics of Cisco products or the routing protocols supported
by Cisco products
• Customers with technical networking background and experience
Organization
The major sections of this guide follow:
Related Documentation
Your Cisco 7200 series router and the Cisco IOS software running on it contain extensive features and
functionality, which are documented in the following resources:
• For Cisco 7200 series router hardware installation and initial software configuration information,
refer to the following publications located at
http://www.cisco.com/en/US/products/hw/routers/ps341/tsd_products_support_series_home.html:
– The Quick Start Guide for your Cisco 7200 series router
– The Installation and Configuration Guide for your Cisco 7200 series router
• For international agency compliance, safety, and statutory information for Cisco 7200 series router,
refer to the Regulatory Compliance and Safety Information publication for your Cisco 7200 series
router at
http://www.cisco.com/en/US/products/hw/routers/ps341/products_regulatory_approvals_and_com
pliance09186a00800a94d7.html.
• For information on installing and replacing field-replaceable units (FRUs), refer to the Installing
field-replaceable units publication for your Cisco 7200 series router at
http://www.cisco.com/en/US/products/hw/routers/ps341/prod_installation_guides_list.html.
• For information on installing and replacing the integrated service module (ISM), refer to the
integrated service adapter and integrated service module installation and configuration publication
for your Cisco 7200 series router at
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_module_install_config_guide0918
6a0080145522.html.
• For information on installing and replacing your VPN Acceleration Module (VAM), refer to the
VAM installation and configuration publication for your Cisco 7200 series router at
http://www.cisco.com/en/US/products/hw/routers/ps341/products_installation_and_configuration_
guides_list.html.
• For information on the port adapter installed in the Cisco 7200 series router, refer to the individual
installation and configuration guides for each port adapter at
http://www.cisco.com/en/US/products/hw/modules/ps2033/tsd_products_support_series_home.ht
ml.
• For configuration information and support, refer to the modular configuration and modular
command reference publications at
http://www.cisco.com/en/US/products/hw/modules/tsd_products_support_category_home.html.
• To determine the minimum Cisco IOS software requirements for your Cisco 7200 series router,
Cisco maintains the Software Advisor tool on Cisco.com. This tool does not verify whether modules
within a system are compatible, but it does provide the minimum IOS requirements for individual
hardware modules or components. Registered Cisco Direct users can access the Software Advisor
at: http://tools.cisco.com/Support/Fusion/FusionHome.do.
• For detailed information on hardware, software configuration, troubleshooting, and other topics
related to IP security and VPN, refer to
http://www.cisco.com/en/US/products/hw/vpndevc/tsd_products_support_category_home.html.
• For information on interfaces and Cisco IOS network design, implementation, configuration,
verification, troubleshooting, operation, and maintenance, refer to
http://www.cisco.com/en/US/products/sw/iosswrel/tsd_products_support_category_home.html.
• If you're a registered Cisco Direct Customer, you can access the tools index at
http://www.cisco.com/en/US/products/prod_tools_index.html.
• For information on network management applications, refer to the “Network Management
Considerations” section on page 2-16 of Chapter 2, “Network Design Considerations” and the
network management product documentation on Cisco.com and the Product Documentation DVD.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product
Documentation Store in the Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by
calling 011 408 519-5055. You can also order documentation by e-mail at
tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,
or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.
You can send comments about Cisco documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
http://www.cisco.com/go/psirt
If you prefer to see advisories and notices as they are updated in real time, you can access a Product
Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive
information that you send to Cisco. PSIRT can work from encrypted information that is compatible with
PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose
Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco
Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by
product ID or model name; by tree view; or for certain products, by copying and pasting show command
output. Search results show an illustration of your product with the serial number label location
highlighted. Locate the serial number label on your product and record the information before placing a
service call.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You
and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operation are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.
This chapter provides helpful tips for understanding and configuring Cisco IOS software using the
command-line interface (CLI) and includes the following sections:
• Conventions, page 1-1
• Understanding Command Modes, page 1-5
• Using the no and default Forms of Commands, page 1-7
• Saving Configuration Changes, page 1-8
For an overview of Cisco IOS software configuration, refer to the Configuration Fundamentals
Configuration Guide. See “Related Documentation” section on page xi for additional information.
Conventions
Command descriptions use the following conventions:
Convention Description
boldface font Commands and keywords are in boldface.
italic font Arguments for which you supply values are in italics.
[ ] Elements in square brackets are optional.
{x | y | z} Alternative keywords are grouped in braces and separated
by vertical bars.
[x | y | z] Optional alternative keywords are grouped in brackets and
separated by vertical bars.
string A nonquoted set of characters. Do not use quotation marks
around the string or the string will include the quotation
marks.
screen font Terminal sessions and information the system displays are
in screen font.
boldface screen Information you must enter is in boldface screen font.
font
italic screen font Arguments for which you supply values are in italic screen
font.
Convention Description
This pointer highlights an important line of text
in an example.
Note Means reader take note. Notes contain helpful suggestions or references to material not
covered in the publication.
Getting Help
Entering a question mark (?) at the system prompt displays a list of commands available for each
command mode. You can also get a list of any commands associated keywords and arguments with the
context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the
following commands:
Command Purpose
help Obtain a brief description of the help system in any command mode.
abbreviated-command-entry? Obtain a list of commands that begin with a particular character
string. (No space between command and question mark.)
abbreviated-command-entry Complete a partial command name.
<Tab>
? List all commands available for a particular command mode.
command ? List command-associated keywords. (Space between command and
question mark.)
command keyword ? List keyword-associated arguments. (Space between the keyword
and question mark.)
Note Press Ctrl-P or the up arrow key to recall commands in the history buffer, beginning with the most recent
command. Repeat the key sequence to recall successively older commands. Press Ctrl-N or the down
arrow key to return to more recent commands in the history buffer after recalling commands with Ctrl-P
or the up arrow key. Repeat the key sequence to recall successively more recent commands.
Command Comment
Router> enable Enter the enable command and password to access privileged EXEC
Password: <password> commands.
Router#
You have entered privileged EXEC mode when the prompt changes to
Router#.
Router# configure terminal Enter global configuration mode.
Enter configuration commands, one per line.
End with CNTL/Z. You have entered global configuration mode when the prompt
Router(config)# changes to Router(config)#.
Router(config)# controller t1 ? Enter controller configuration mode by specifying the T1 controller
<0-3> Controller unit number that you want to configure using the controller t1 global
Router(config)# controller t1 1
Router(config-controller)#
configuration command.
Enter a ? to display what you must enter next on the command line.
In this example, you must enter a controller unit number from 0 to 3.
You have entered controller configuration mode when the prompt
changes to Router(config-controller)#.
Command Comment
Router(config-controller)# ? Enter a ? to display a list of all the controller configuration commands
Controller configuration commands: available for the T1 controller.
cablelengthSpecify the cable length for a
DS1 link
cas-groupConfigure the specified timeslots
for CAS (Channel Associate Signals)
channel-groupSpecify the timeslots to
channel-group mapping for an interface
clockSpecify the clock source for a DS1 link
defaultSet a command to its defaults
descriptionController specific description
ds0ds0 commands
exitExit from controller configuration mode
fdlSpecify the FDL standard for a DS1 data
link
framingSpecify the type of Framing on a DS1
link
helpDescription of the interactive help
system
linecodeSpecify the line encoding method for
a DS1 link
loopbackPut the entire T1 line into loopback
noNegate a command or set its defaults
pri-groupConfigure the specified timeslots
for PRI
shutdownShut down a DS1 link (send Blue
Alarm)
Router(config-controller)#
Router(config-controller)# cas-group ? Enter the command that you want to configure for the controller. In
<0-23>Channel number this example, the cas-group command is used.
Router(config-controller)# cas-group
Enter a ? to display what you must enter next on the command line.
In this example, you must enter a channel number from 0 to 23.
When the system redisplays the command, it indicates that you must
enter more keywords to complete the command.
Router(config-controller)# cas-group 1 ? After you enter the channel number, enter a ? to display what you
timeslots List of timeslots in the cas-group must enter next on the command line. In this example, you must enter
Router(config-controller)# cas-group 1
the timeslots keyword.
When the system redisplays the command, it indicates that you must
enter more keywords to complete the command.
Router(config-controller)# cas-group 1 After you enter the timeslots keyword, enter a ? to display what you
timeslots ? must enter next on the command line. In this example, you must enter
<1-24> List of timeslots which comprise the
cas-group
a list of timeslots from 1 to 24.
Router(config-controller)# cas-group 1 You can specify timeslot ranges (for example, 1–24), individual
timeslots
timeslots separated by commas (for example 1, 3, 5), or a
combination of the two (for example 1–3, 8, 17–24). The 16th time
slot is not specified in the command line, because it is reserved for
transmitting the channel signaling.
When the system redisplays the command, it indicates that you must
enter more keywords to complete the command.
Command Comment
Router(config-controller)# cas-group 1 After you enter the timeslot ranges, enter a ? to display what you must
timeslots 1-24 ? enter next on the command line. In this example, you must enter the
service Specify the type of service
type Specify the type of signaling
service or type keyword.
Router(config-controller)# cas-group 1 When the system redisplays the command, it indicates that you must
timeslots 1-24
enter more keywords to complete the command.
Router(config-controller)# cas-group 1 In this example, the type keyword is entered. After you enter the type
timeslots 1-24 type ? keyword, enter a ? to display what you must enter next on the
e&m-fgb E & M Type II FGB
e&m-fgd E & M Type IIFGD
command line. In this example, you must enter one of the signaling
e&m-immediate-start E & M Immediate Start types.
fxs-ground-start FXS Ground Start
When the system redisplays the command, it indicates that you must
fxs-loop-start FXS Loop Start
sas-ground-start SAS Ground Start enter more keywords to complete the command.
sas-loop-start SAS Loop Start
Router(config-controller)# cas-group 1
timeslots 1-24 type
Router(config-controller)# cas-group 1 In this example, the e&m-fgb keyword is entered. After you enter the
timeslots 1-24 type e&m-fgb ? e&m-fgb keyword, enter a ? to display what you must enter next on
dtmf DTMF tone signaling
mf MF tone signaling
the command line. In this example, you can enter the dtmf, mf, or
service Specify the type of service service keyword to indicate the type of channel-associated signaling
<cr> available for the e&m-fgb signaling type.
Router(config-controller)# cas-group 1
timeslots 1-24 type e&m-fgb When the system redisplays the command, it indicates that you can
enter more keywords or press <cr> to complete the command.
Router(config-controller)# cas-group 1 In this example, the dtmf keyword is entered. After you enter the
timeslots 1-24 type e&m-fgb dtmf ? dtmf keyword, enter a ? to display what you must enter next on the
dnis DNIS addr info provisioned
service Specify the type of service
command line. In this example, you can enter the dnis or service
<cr> keyword to indicate the options available for dtmf tone signaling.
Router(config-controller)# cas-group 1
When the system redisplays the command, it indicates that you can
timeslots 1-24 type e&m-fgb dtmf
enter more keywords or press <cr> to complete the command.
Router(config-controller)# cas-group 1 In this example, enter a <cr> to complete the command.
timeslots 1-24 type e&m-fgb dtmf
Router(config-controller)#
Using configuration modes, you can make changes to the running configuration. If you later save the
configuration, these commands are stored across router reboots. To get to the various configuration
modes, you must start at global configuration mode. From global configuration mode, you can enter
interface configuration mode, subinterface configuration mode, and a variety of protocol-specific modes.
ROM monitor mode is a separate mode used when the router cannot boot properly. If your router or
access server does not find a valid system image when it is booting, or if its configuration file is
corrupted at startup, the system might enter ROM monitor mode.
For more information about command modes, refer to the “Using the Command Line Interface” chapter
of the Configuration Fundamentals Configuration Guide.
It might take a minute or two to save the configuration. After the configuration has been saved, the
following output appears:
[OK]
Router#
On most platforms, this step saves the configuration to nonvolatile random-access memory (NVRAM).
On Class A Flash memory file systems, such as Cisco 7100 series routers, this step saves the
configuration to the location specified by the CONFIG_FILE environment variable. The CONFIG_FILE
variable defaults to NVRAM.
This chapter provides an overview of the business scenarios covered in this guide, items you should
consider when configuring a Virtual Private Network (VPN) on your Cisco 7200 series router, and the
assumptions this guide makes.
This chapter includes the following sections:
• Overview of Business Scenarios, page 2-1
• Assumptions, page 2-2
• Cisco SAFE Blueprint, page 2-3
• Hybrid Network Environments, page 2-4
• Integrated versus Overlay Design, page 2-4
• Network Traffic Considerations, page 2-5
• Network Resiliency, page 2-10
• VPN Performance Optimization Considerations, page 2-12
• Network Management Considerations, page 2-16
Note In this Guide, the term ‘Cisco 7200 series router’ implies that an Integrated Service Adaptor (ISA) or a
VAM (VAM, VAM2, or VAM2+) is installed in the Cisco 7200 series router.
Note For detailed information on configuring network access server (NAS)-initiated access VPNs using the
Layer 2 Forwarding (L2F) tunneling protocol, refer to the Access VPN Solutions Using Tunneling
Technology publication.
In each scenario, a tunnel is constructed, encryption is applied on the tunnel, and different traffic types
(for example, IP, User Datagram Protocol [UDP], and Transmission Control Protocol [TCP]) are either
permitted or denied access to the tunnel. This controls the level of access the remote office and business
partner have to the corporate intranet and secures the data exchanged between the sites.
Business
partner
IPSec tunnel
Remote
Internet office
GRE tunnel
27995
Remote user
The site-to-site VPN business scenario explained in Chapter 3, “Site-to-Site and Extranet VPN Business
Scenarios” links the corporate headquarters to a remote office using connections across the Internet.
Users in the remote office are able to access resources as if they were part of the private corporate
intranet.
The extranet VPN business scenario explained in Chapter 3, “Site-to-Site and Extranet VPN Business
Scenarios” builds on the VPN scenario by linking the same corporate headquarters to a business partner
using connections across the Internet; however, the business partner is given limited access to the
headquarters network—the business partner can access only the headquarters public server.
The remote access VPN business scenario, explained in Chapter 4, “Remote Access VPN Business
Scenarios” provides a remote user access to the corporate headquarters network through a secure IPSec,
PPTP, or L2TP tunnel that is initiated by the remote user running VPN client software on a PC. In this
scenario, the user can access the corporate network remotely.
Note This guide does not explain how to configure your router for use with the Cisco Secure
VPN Client. For detailed information on client-initiated VPNs using
Cisco Secure VPN Client software, refer to the Cisco Secure VPN Client Solutions Guide
publication. If you are a registered Cisco user, you can access the Access VPNs and IP
Security Protocol Tunneling Technology publication.
Assumptions
This guide assumes the following:
• You are configuring a service provider transparent VPN, whereby the tunnel endpoints are outside
of the service provider network (on the headquarters and remote site routers).
• You are configuring your VPN based on IP, a routing mechanism, cryptography, and tunneling
technologies, such as IPSec and GRE.
Note The scenarios in this guide do not explain how to configure certification authority (CA)
interoperability on your Cisco 7200 series router. For detailed configuration information on
CA interoperability, refer to the “Configuring Certification Authority Interoperability”
chapter in the Cisco IOS Security Configuration Guide.
• You have identified the Cisco IOS firewall features that you plan to configure on your Cisco 7200
series router features. When considering IOS firewall features, you may find it useful to review the
“Network Traffic Considerations” section on page 2-5. The business scenarios in this guide explain
how to configure extended access lists, which are sequential collections of permit and deny
conditions that apply to an IP address.
Note For advanced firewall configuration information, refer to the “Traffic Filtering and
Firewalls” section of the Cisco IOS Security Configuration Guide.
• Extranet Considerations
The primary advantage of an overlay design in the headend configuration is that the separation of tasks
optimizes network performance. Each device may be dedicated to one or two tasks, rather than all three,
in a heavy traffic environment. For example, ACLs (Access Control Lists) require a fair amount of CPU
utilization. Therefore, performing ACL tasks on a device other than the Cisco 7200 series router allows
the Cisco 7200 series router more power to support network traffic.
Cisco recommends using GRE tunnels with IPSec in tunnel mode to improve the flow of network traffic.
IPSec in tunnel mode can be used as a tunneling protocol itself for unicast traffic, but not for multicast
traffic. Multicast IPSec traffic requires a GRE tunnel, and that IPSec be used in either transport or tunnel
mode. Cisco recommends using IPSec in tunnel mode for the best network traffic performance.
Changing these values increases the level of security; at the same time, however, it increases the
processor overhead. The default behavior for SA rekeying is to base the new key in part on the old key
to save processing resources. Perfect forward secrecy (PFS) generates a new key based on new seed
material by carrying out a Diffie-Hellman (DH) exponentiation every time a new quick-mode (QM) SA
needs new key generation. Again, this option increases the level of security but at the same time
increases processor overhead. Cisco does not recommend changing the SA lifetimes or enabling PFS
unless the sensitivity of the data mandates it. If you choose to change these values, make sure you include
this variable when determining the network design. The strength of the Diffie-Hellman exponentiation
is configurable; Groups 1 (768 bits), 2 (1024 bits), and 5 (1536 bits) are supported. Group 2 is
recommended.
IPSec Considerations
IPSec provides numerous security features. The following have configurable values for the administrator
to define their behavior: data encryption, device authentication and credential, data integrity, address
hiding, and SA key aging. The IPSec standard requires the use of either data integrity or data encryption;
using both is optional. Cisco highly recommends using both encryption and integrity. Cisco recommends
the use of Triple DES (3DES), rather than DES, as it provides stronger encryption. Data integrity comes
in two types: 128-bit strength Message Digest 5 (MD5)-HMAC or 160-bit strength secure hash algorithm
(SHA)-HMAC. Because the bit strength of SHA is greater, it is considered more secure. Cisco
recommends the use of SHA because the increased security outweighs the slight processor increase in
overhead (in fact, SHA is sometimes faster than MD5 in certain hardware implementations).
Both IPSec phases offer the ability to change the lifetime of the SA. You might consider changing the
lifetime from the default when the sensitivity of the tunneled data mandates replacing the encryption
keys and reauthenticating each device on a more aggressive basis. Keep in mind that the shorter the SA
lifetime, the greater the impact on network traffic (see the “IKE Key Lifetimes” section on page 2-13).
The use of strong encryption algorithms in non-US countries is sometimes regulated by local import and
usage laws. These strong encryption algorithms cannot be exported to some countries or some
customers. For more information about the exportation of encryption algorithms, please see your sales
representative.
• Keep in mind the following when configuring IPSec:
– IPSec works with the following serial encapsulations: High-Level Data Link Control (HDLC),
Point-to-Point Protocol (PPP), and Frame Relay. IPSec also works with the GRE and IPinIP
Layer 3, L2F, and L2TP tunneling protocols; however, multipoint tunnels are not supported.
– IPSec and Internet Key Exchange (IKE) must be configured on the router and a crypto map must
be assigned to all interfaces that require encryption services of your Cisco 7200 series router.
– When using tunnel mode, IPSec can be applied to unicast IP datagrams only. Because the IPSec
Working Group has not yet addressed the issue of group key distribution, IPSec does not
currently work with multicasts or broadcast IP datagrams. When using IPSec with GRE or
L2TP, this restriction does not apply.
If you use NAT, you should configure static NAT as redundant so that IPSec works properly. Preferably,
NAT should occur before the router performs IPSec encapsulation; in other words, IPSec should be
working with global addresses. The following section discusses NAT in further detail.
Quality of Service
The goal of quality of service (QoS) is to provide more efficient and predictable network service by
providing dedicated bandwidth, controlled jitter and latency, and improved loss characteristics. QoS
achieves these goals by providing tools for managing network congestion, shaping network traffic, using
expensive wide-area links more efficiently, and setting traffic policies across the network. QoS
prioritizes voice, data, and web traffic to ensure that mission-critical applications get the service they
require. Benefits to be derived from QoS include the following:
• Control over resources—You have control over which resources (bandwidth, equipment, wide-area
facilities, and so on) are being used. As an example, you can limit the bandwidth consumed over a
backbone link by FTP transfers or give priority to an important database access.
• More efficient use of network resources—Using Cisco's network analysis management and
accounting tools, you will know what your network is being used for and that you are servicing the
most important traffic to your business.
• Tailored services—The control and visibility provided by QoS enables Internet service providers to
offer carefully tailored grades of service to their customers.
• Coexistence of mission-critical applications—Cisco's QoS technologies make certain that your
WAN is used efficiently by mission- critical applications that are most important to your business;
that bandwidth and minimum delays required by time-sensitive multimedia and voice applications
are available; and that other applications using the link get their fair service without interfering with
mission-critical traffic.
• Foundation for a fully integrated network in the future—Implementing Cisco QoS technologies in
your network now is a good first step toward the fully integrated multimedia network needed in the
near future. For example, you can implement weighted fair queuing today and get its immediate
benefit of increasing service predictability and IP Precedence signaling for traffic differentiation.
You reap additional benefits in the future, because weighted fair queuing is Resource Reservation
Protocol (RSVP) enabled, thereby allowing you to take advantage of dynamically signaled QoS
from the inevitable coming wave of RSVP-enabled applications.
See the “Related Documentation” section on page xi for information on finding additional information
on Cisco IOS QoS benefits, features, and application examples.
While the benefits of NIDS are compelling, NIDS significantly decreases network throughput, because
it inspects every single packet. In a headend environment, consider using alternatives to NIDS. For
example, in an overlay network environment (see the “Integrated versus Overlay Design” section on
page 2-4), the decrease in performance associated with NIDS can be mitigated by designating a device
other than the Cisco 7200 series router, such as the Cisco Intrusion Detection System (CIDS), to perform
NIDS functions.
Split Tunneling
Split tunneling occurs when a remote VPN user or site is allowed to access a public network (the Internet) at
the same time that they access the private VPN network without placing the public network traffic inside the
tunnel first. If split tunneling were disabled, the remote VPN user or site would need to pass all traffic through
the VPN headend where it could be decrypted and inspected before being sent out to the public network.
Therefore, enabling split tunneling can increase the traffic throughput of your VPN, but poses a security risk
if the remote user does not have a personal firewall. Despite the benefit of sending less traffic through the
Cisco 7200 series router, Cisco does not recommend enabling split tunneling unless the remote user has
sufficient firewall protection.
Network Resiliency
Network resiliency, or redundancy, enables remote sites to locate another tunneling peer if the primary
headend peer is unreachable, or if there is a permanent loss of IP connectivity between peers. Consider
network resiliency in both the network configuration and in the decision to use GRE tunnels, IPSec
tunnels, or tunnels which utilize IPSec inside GRE. Resiliency can be achieved by properly utilizing and
configuring GRE tunnels, IKE keepalives, and Hot Standby Routing Protocol (HSRP) with Reverse
Route Injection (RRI).
This section contains the following topics:
• Headend Failover
• GRE
• IKE Keepalives
• RRI with HSRP
Headend Failover
Headend failover ensures that network traffic will be routed through a backup Cisco 7200 series router if the
primary Cisco 7200 series router should fail. GRE and IKE keepalives are the two primary means of attaining
headend failover in Cisco IOS VPNs.
GRE
For VPN resilience, the remote site should be configured with two GRE tunnels, one to the primary
headend Cisco 7200 series router, and the other to the backup headend Cisco 7200 series router. If the
GRE tunnels are secured with IPSec, each tunnel has its own IKE SA and a pair of IPSec SAs. Since
GRE can carry multicast and broadcast traffic, it is possible and very desirable to configure a routing
protocol for these virtual links. Once a routing protocol is configured, the failover mechanism comes
automatically. The hello/keepalive packets, such as IKE keepalives, sent by the routing protocol over the
GRE tunnels provide a mechanism to detect the loss of connectivity. In other words, if the primary GRE
tunnel is lost, the remote site will detect this event by the loss of the routing protocol hello packets.
Once virtual-link loss is detected, the routing protocol will choose the next best route; the backup GRE
tunnel will be chosen. Hence, the second part of VPN resilience is obtained by the automatic behavior
of the routing protocol. Since the backup GRE tunnel is already up and secured, the failover time is
determined by the hello packet mechanism and the convergence time of the routing protocol.
Aside from providing a failover mechanism, GRE tunnels provide the ability to encrypt multicast and
broadcast packets and non-IP protocols with IPSec. They also provide enhanced performance and
scalability for site-to-site VPN services. Since GRE tunnels are unique interfaces, they can each be
assigned their own crypto maps. When the headend router needs to send a packet on the VPN, it first
makes a routing decision to send it out an interface and then does a search of the SPI table to find the
corresponding SA. With GRE tunnels, the router must make a routing decision across a multitude of
GRE interfaces. Once the GRE tunnel is chosen, there are only a few SAs to choose from.
GRE tunnels can encapsulate clear text traffic, which enables the passage of routing updates to peer
routers. Passage of routing updates provides reachability information between peers. It also enables
detection of a secondary peer in the case of a loss of reachability for the primary peer. IPSec can be
applied to the GRE tunnel packet to provide encryption for transport security.
IKE Keepalives
IKE keepalives, or hello packets, are a component of IPSec that tracks reachability of peers by sending
hello packets between peers. In the case of loss of reachability to a peer, a tunnel is established with a
predefined backup or secondary peer.
During the typical life of the IKE Security Association (SA), as defined by the RFCs, packets are only
exchanged over this SA when an IPSec quick mode (QM) negotiation is required at the expiration of the
IPSec SAs. For a Cisco IOS device, the default lifetime of an IKE SA is 24 hours and that of an IPSec
SA is one hour. There is no standards-based mechanism for either type of SA to detect the loss of a peer,
except when the QM negotiation fails. These facts imply that for IOS defaults, an IPSec termination
point could be forwarding data into a black hole for as long as one hour before the protocol detects a loss
of connectivity.
By implementing a keepalive feature over the IKE SA in Cisco IOS software, Cisco has provided
network designers with a simple and non-intrusive mechanism for detecting loss of connectivity between
two IPSec peers. The keepalive packets are sent every 10 seconds by default. Once three packets are
missed, an IPSec termination point concludes that it has lost connectivity with its peer.
To reestablish connectivity, the IPSec termination point must have at least two IPSec peer addresses in
its crypto map statement. The IPSec termination point will send out a main mode (MM) request to
initiate the MM and quick mode (QM) negotiations with the second peer in its list. This type of
functionality is available in all IOS devices that support the IPSec feature set.
IKE keepalives are suggested for use with devices that do not support GRE.
VPN Reverse Route Injection (RRI) is a new IOS feature that resolves the duplicate tunnel problem by
injecting a static route for advertisement on the network. It is based on which device currently holds the
IPSec session for a specific peer. Advertising this route ensures return IPSec traffic associated with the
specific session will be routed through the device that has the active IPSec session.
The primary benefits of RRI are that it enables the routing of IPSec traffic to a specific VPN headend
device in environments with multiple (redundant) VPN headend devices, and ensures predictable
failover time of remote sessions between headend devices when using IKE keepalives.
HSRP complements the new RRI feature in attaining network resiliency. Using HSRP, a set of routers
work in concert to present the illusion of a single virtual router with a virtual IP address that is linked to
real IP addresses. The hosts on the network recognize the virtual router and IP address as the only router
and IP address. The set of routers that comprises the virtual router is known as an HSRP group, or a
standby group. A single router elected from the group is responsible for forwarding the packets that hosts
send to the virtual router. This router is known as the active router. Another router is elected as the
standby router. In the event that the active router fails, the standby router assumes the packet forwarding
duties of the active router. Although an arbitrary number of routers may run HSRP, only the active router
forwards the packets sent to the virtual router.
To minimize network traffic, only the active and the standby routers send periodic HSRP messages once
the protocol has completed the election process. If the active router fails, the standby router takes over
as the active router. If the standby router fails or becomes the active router, another router is elected as
the standby router. RRI then informs peers of the active router, ensuring that peers use the active tunnel
that HSRP has established.
While HSRP and RRI can be used in conjunction with each other for maximum network resiliency, they
can also be used separately.
Fragmentation
Avoid fragmentation at all costs. Packet reassembly is resource intensive from a CPU and memory
allocation perspective, and decreases network performance. Allowing fragmented packets into your
network also creates security concerns. Fragmented IPSec packets require reassembly before the packets
can undergo integrity validation and decryption.
Fragmentation can typically be avoided, as it usually occurs when an encapsulated packet, sent over a
tunnel, is too large to fit on the smallest link on the tunnel path. As long as filtering does not block the
Internet Control Message Protocol (ICMP) messages, path maximum transmission unit discovery
(PMTUD) will determine the maximum MTU that a host can use to send a packet through the tunnel
without causing fragmentation.
To allow PMTUD in your network, do not filter ICMP message Type 3, Code 4. If ICMP filtering occurs
and is out of your administrative control, you will have to either manually set the MTU lower on the VPN
termination device and allow PMTUD locally, or clear the Don't Fragment (DF) bit and force
fragmentation. In this scenario, packets generated by hosts that do not support PMTUD, and have not set
the DF bit in the IP header, will undergo fragmentation before IPSec encapsulation. Packets generated
by hosts that do support PMTUD will use it locally to match the statically configured MTU on the tunnel.
If you manually set the MTU on the tunnel, you must set it low enough to allow packets to pass through
the smallest link on the path. Otherwise, the packets that are too large to fit will be dropped, and if ICMP
filtering is in place, no feedback will be provided.
Remember that multiple layers of encapsulation will add layers of overhead to the packet. For example,
GRE and ESP tunneling protocols are used together frequently. In this scenario, GRE adds 24 bytes of
overhead to the packet before it undergoes encapsulation again by ESP. ESP, when using 3DES and SHA,
then adds 56 bytes of additional overhead. Use of ESP and GRE to support PMTUD reduces the
likelihood of fragmentation.
Depending on the VPN termination device, the manner in which you should set the MTU on the tunnel
varies. Options include changing the MTU through the tunnel interface (routers), the TCP maximum
segment size (firewalls), policy routing (routers), clear/set/copy DF bit (routers), OS application level
(VPN clients), and physical/logical interfaces (any VPN device).
IKE Keepalives
IKE keepalive settings can aid in optimizing VPN performance. By Cisco IOS default, keepalives are
sent in 10 second intervals. A longer interval between keepalives reduces CPU usage, thereby increasing
network performance. There is, however, a trade-off. The longer the interval, the longer it will take to
detect a loss of connectivity. This risk can be mitigated by implementing RRI and/or HSRP. Refer to the
“Network Resiliency” section on page 2-10, for a discussion of RRI and HSRP failover mechanisms.
– Think about access control before you connect a console port to the network in any way,
including attaching a modem to the port. Be aware that a break on the console port might render
total control of the firewall, even with access control configured, to a hacker.
– Apply access lists and password protection to all virtual terminal ports. Use access lists to limit
who can Telnet into your router.
– Do not enable any local service (such as Simple Network Management Protocol [SNMP] or
Network Time Protocol [NTP]) that you do not plan to use. Cisco Discovery Protocol (CDP)
and NTP are on by default, and you should turn these off if you do not need them.
To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter
the ntp disable interface configuration command on each interface not using NTP.
If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen
only to certain peers.
Any enabled service could present a potential security risk. A determined, hostile party might
be able to find creative ways to misuse the enabled services to access the firewall or the network.
For local services that are enabled, protect against misuse. Protect by configuring the services
to communicate only with specific peers, and protect by configuring access lists to deny packets
for the services at specific interfaces.
– Protect against spoofing: protect the networks on both sides of the firewall from being spoofed
from the other side. You could protect against spoofing by configuring input access lists at all
interfaces to pass only traffic from expected source addresses and to deny all other traffic.
You should also disable source routing. For IP, enter the no ip source-route global
configuration command. If you disable source routing at all routers, it helps prevent spoofing.
You should also disable minor services. For IP, enter the no service tcp-small-servers and no
service udp-small-servers global configuration commands.
– Prevent the firewall from being used as a relay by configuring access lists on any asynchronous
Telnet ports.
– Normally, you should disable directed broadcasts for all applicable protocols on your firewall
and on all your other routers. For IP, use the no ip directed-broadcast command. Rarely, some
IP networks do require directed broadcasts; if this is the case, do not disable directed broadcasts.
Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because
every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some
hosts have other intrinsic security risks present when handling broadcasts.
– Configure the no proxy-arp command to prevent internal addresses from being revealed. (This
is important to do if you do not already have NAT configured to prevent internal addresses from
being revealed).
– Whenever possible, keep the firewall in a secured (locked) room.
To access the documentation for the applications discussed in this section on Cisco.com, refer to the
following URL:
http://www.cisco.com/en/US/products/sw/netmgtsw/index.html
This chapter explains the basic tasks for configuring IP-based, site-to-site and extranet Virtual Private
Networks (VPNs) on a Cisco 7200 series router using generic routing encapsulation (GRE) and IPSec
tunneling protocols. Basic security, Network Address Translation (NAT), Encryption, Cisco IOS
weighted fair queuing (WFQ), and extended access lists for basic traffic filtering are configured.
Note In this Guide, the term ‘Cisco 7200 series router’ implies that an Integrated Service Adaptor (ISA) or a
VAM (VAM, VAM2, or VAM2+) is installed in the Cisco 7200 series router.
This chapter describes basic features and configurations used in a site-to-site VPN scenario. Some
Cisco IOS security software features not described in this document can be used to increase performance
and scalability of your VPN. For up-to-date Cisco IOS security software features documentation, refer
to the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference
publications for your Cisco IOS Release. For information on how to access the publications, see
“Related Documentation” section on page xi.
This chapter includes the following sections:
• Scenario Descriptions, page 3-2
• Step 1—Configuring the Tunnel, page 3-6
• Step 2—Configuring Network Address Translation, page 3-10
• Step 3—Configuring Encryption and IPSec, page 3-14
• Step 4—Configuring Quality of Service, page 3-28
• Step 5—Configuring Cisco IOS Firewall Features, page 3-36
• Comprehensive Configuration Examples, page 3-39
Note Throughout this chapter, there are numerous configuration examples and sample configuration outputs
that include unusable IP addresses. Be sure to use your own IP addresses when configuring your Cisco
7200 series router.
Scenario Descriptions
This section includes the following topics:
• Site-to-Site Scenario, page 3-2
• Extranet Scenario, page 3-4
• Configuring a GRE Tunnel, page 3-7
• Configuring an IPSec Tunnel, page 3-9
• Configuring Static Inside Source Address Translation, page 3-13
• Verifying Static Inside Source Address Translation, page 3-13
• Configuring IKE Policies, page 3-15
• Verifying IKE Policies, page 3-19
• Configuring IPSec and IPSec Tunnel Mode, page 3-22
• Configuring Crypto Maps, page 3-24
• Configuring Network-Based Application Recognition, page 3-29
• Configuring Weighted Fair Queuing, page 3-32
• Verifying Weighted Fair Queuing, page 3-33
• Configuring Class-Based Weighted Fair Queuing, page 3-33
• Verifying Class-Based Weighted Fair Queuing, page 3-36
• Creating Extended Access Lists Using Access List Numbers, page 3-37
• Verifying Extended Access Lists, page 3-38
• Applying Access Lists to Interfaces, page 3-38
• Verifying Extended Access Lists Are Applied Correctly, page 3-39
Site-to-Site Scenario
Figure 3-1 shows a headquarters network providing a remote office access to the corporate intranet. In
this scenario, the headquarters and remote office are connected through a secure GRE tunnel that is
established over an IP infrastructure (the Internet). Employees in the remote office are able to access
internal, private web pages and perform various IP-based network tasks.
Note Although the site-to-site VPN scenario in this chapter is configured with GRE tunneling, a site-to-site
VPN can also be configured with IPSec only tunneling.
23244
Figure 3-2 shows the physical elements of the scenario. The Internet provides the core interconnecting
fabric between the headquarters and remote office routers. Both the headquarters and remote office are
using a Cisco IOS VPN gateway (a Cisco 7200 series with an Integrated Service Adaptor (ISA) or VAM
(VAM, VAM2, or VAM2+), a Cisco 2600 series router, or a Cisco 3600 series router).
Note VPN Acceleration Module (VAM) information for your Cisco 7200 series router can be found at
http://www.cisco.com/en/US/products/hw/routers/ps341/products_installation_and_configuration_guid
es_list.html.
The GRE tunnel is configured on the first serial interface in chassis slot 1 (serial 1/0) of the headquarters
and remote office routers. Fast Ethernet interface 0/0 of the headquarters router is connected to a
corporate server and Fast Ethernet interface 0/1 is connected to a web server. Fast Ethernet interface 0/0
of the remote office router is connected to a PC client.
23245
10.1.6.4/24
Private
PC A
corporate
Public 10.1.4.3/24
server
10.1.3.6/24 Web server
10.1.6.5/24
The configuration steps in the following sections are for the headquarters router, unless noted otherwise.
Comprehensive configuration examples for both the headquarters and remote office routers are provided
in the “Comprehensive Configuration Examples” section on page 3-39.
Extranet Scenario
The extranet scenario introduced in Figure 3-3 builds on the site-to-site scenario by providing a business
partner access to the same headquarters network. In the extranet scenario, the headquarters and business
partner are connected through a secure IPSec tunnel and the business partner is given access only to the
headquarters public server to perform various IP-based network tasks, such as placing and managing
product orders.
Headquarters gateway
Remote office gateway
(hq-sanjose)
(ro-rtp)
GRE tunnel
Remote
Corporate Internet office
Intranet network
Serial line Serial line
24219
Serial line
Figure 3-4 shows the physical elements of the scenario. As in the site-to-site business scenario, the
Internet provides the core interconnecting fabric between the headquarters and business partner routers.
Like the headquarters office, the business partner is also using a Cisco IOS VPN gateway (a Cisco 7200
series with an Integrated Service Adaptor (ISA) or VAM (VAM, VAM2, or VAM2+), a Cisco 2600 series
router, or a Cisco 3600 series router).
Note VPN Acceleration Module (VAM) information for your Cisco 7200 series router can be found at
http://www.cisco.com/en/US/products/hw/routers/ps341/products_installation_and_configuration_guid
es_list.html.
The IPSec tunnel between the two sites is configured on the second serial interface in chassis slot 2
(serial 2/0) of the headquarters router and the first serial interface in chassis slot 1 (serial 1/0) of the
business partner router. Fast Ethernet interface 0/0 of the headquarters router is still connected to a
private corporate server and Fast Ethernet interface 0/1 is connected to a public server. Fast Ethernet
interface 0/0 of the business partner router is connected to a PC client.
Headquarters gateway
(hq-sanjose)
PC A
Private
corporate
server Public IPSec tunnel
10.1.3.6/24 Web server Business partner gateway
10.1.6.5/24 (bus-ptnr)
Internet
Fast Ethernet
Serial 1/0 0/0
172.23.2.7/24 10.1.5.2/24
24218
PC B
10.1.5.3/24
The configuration steps in the following sections are for the headquarters router, unless noted otherwise.
Comprehensive configuration examples for both the headquarters and business partner routers are
provided in the “Comprehensive Configuration Examples” section on page 3-39.
Normal packet
Tunnel packet
24217
Passenger protocol
Encapsulation protocol
Transport protocol
This section contains basic steps to configure a GRE tunnel and includes the following tasks:
• Configuring the Tunnel Interface, Source, and Destination
• Verifying the Tunnel Interface, Source, and Destination
Note The following procedure assumes the tunnel interface, source, and destination on the remote office
router are configured with the values listed in Table 3-1.
Command Purpose
Step 1 hq-sanjose(config)# interface tunnel 0 Specify a tunnel interface number, enter interface
hq-sanjose(config-if)# ip address 172.17.3.3 configuration mode, and configure an IP address and
255.255.255.0
subnet mask on the tunnel interface. This example
configures IP address and subnet mask 172.17.3.3
255.255.255.0 for tunnel interface 0 on the headquarters
router.
Step 2 hq-sanjose(config-if)# tunnel source 172.17.2.4 Specify the tunnel interface source address and subnet
255.255.255.0 mask. This example uses the IP address and subnet mask
of T3 serial interface 1/0 of the headquarters router.
Step 3 hq-sanjose(config-if)# tunnel destination Specify the tunnel interface destination address. This
172.24.2.5 255.255.255.0 example uses the IP address and subnet mask of T3 serial
interface 1/0 of the remote office router.
Step 4 hq-sanjose(config-if)# tunnel mode gre ip Configure GRE as the tunnel mode.
GRE is the default tunnel encapsulation mode, so this
command is considered optional.
Step 5 hq-sanjose(config)# interface tunnel 0 Bring up the tunnel interface.1
hq-sanjose(config-if)# no shutdown
%LINK-3-UPDOWN: Interface Tunnel0, changed state
to up
Step 6 hq-sanjose(config-if)# exit Exit back to global configuration mode and configure
hq-sanjose(config)# ip route 10.1.4.0 traffic from the remote office network through the tunnel.
255.255.255.0 tunnel 0
This example configures traffic from the remote office
Fast Ethernet network (10.1.4.0 255.255.255.0) through
GRE tunnel 0.
1. This command changes the state of the tunnel interface from administratively down to up.
Note When configuring GRE, you must have only Cisco routers or access servers at both ends of the tunnel
connection.
• Try pinging the tunnel interface of the remote office router (this example uses the IP address of
tunnel interface 1 [172.24.3.6]):
hq-sanjose(config)# ping 172.24.3.6
Tip If you have trouble, make sure you are using the correct IP address and that you enabled the tunnel
interface with the no shutdown command.
mode protects against traffic analysis; with tunnel mode, an attacker can only determine the tunnel
endpoints and not the true source and destination of the packets passing through the tunnel, even if they
are the same as the tunnel endpoints.
Note IPSec tunnel mode configuration instructions are described in detail in the “Configuring IPSec and IPSec
Tunnel Mode” section on page 3-22.
In IPSec transport mode, only the IP payload is encrypted, and the original IP headers are left intact.
(See Figure 3-6.) This mode has the advantage of adding only a few bytes to each packet. It also allows
devices on the public network to see the final source and destination of the packet. With this capability,
you can enable special processing in the intermediate network based on the information in the IP header.
However, the Layer 4 header will be encrypted, limiting the examination of the packet. Unfortunately,
by passing the IP header in the clear, transport mode allows an attacker to perform some traffic analysis.
(See the “Defining Transform Sets and Configuring IPSec Tunnel Mode” section on page 3-23 for an
IPSec transport mode configuration example.)
IP HDR Data
23246
IP HDR Data
Transport mode
Network Address Translation (NAT) enables private IP internetworks with addresses that are not
globally unique to connect to the Internet by translating those addresses into globally routable address
space. NAT is configured on the router at the border of a stub domain (referred to as the inside network)
and a public network such as the Internet (referred to as the outside network). NAT translates the internal
local addresses to globally unique IP addresses before sending packets to the outside network. NAT also
allows a more graceful renumbering strategy for organizations that are changing service providers or
voluntarily renumbering into classless interdomain routing (CIDR) blocks.
This section only explains how to configure static translation to translate internal local IP addresses into
globally unique IP addresses before sending packets to an outside network, and includes the following
tasks:
• Configuring Static Inside Source Address Translation
• Verifying Static Inside Source Address Translation
Static translation establishes a one-to-one mapping between your internal local address and an inside
global address. Static translation is useful when a host on the inside must be accessible by a fixed address
from the outside.
Note For detailed, additional configuration information on NAT—for example, instructions on how to
configure dynamic translation—refer to the “Configuring IP Addressing” chapter in the Network
Protocols Configuration Guide, Part 1. NAT is also described in RFC 1631.
Inside Outside
5 3 4
10.1.1.2 DA SA 10.2.2.2
10.1.1.1 10.2.2.2
24713
Internet
SA
10.1.1.1
1 Host B
Inside Outside
10.6.7.3
interface interface
10.1.1.1
2
NAT table
Inside local Inside global
IP address IP address
10.1.1.2 10.2.2.3
10.1.1.1 10.2.2.2
The following process describes inside source address translation, as shown in Figure 3-7:
1. The user at Host 10.1.1.1 opens a connection to Host B.
2. The first packet that the router receives from Host 10.1.1.1 causes the router to check its NAT table.
If a static translation entry was configured, the router goes to Step 3.
If no translation entry exists, the router determines that source address (SA) 10.1.1.1 must be
translated dynamically, selects a legal, global address from the dynamic address pool, and creates a
translation entry. This type of entry is called a simple entry.
3. The router replaces the inside local source address of Host 10.1.1.1 with the translation entry global
address, and forwards the packet.
4. Host B receives the packet and responds to Host 10.1.1.1 by using the inside global IP destination
address (DA) 10.2.2.2.
5. When the router receives the packet with the inside global IP address, it performs a NAT table
lookup by using the inside global address as a key. It then translates the address to the inside local
address of Host 10.1.1.1 and forwards the packet to Host 10.1.1.1.
6. Host 10.1.1.1 receives the packet and continues the conversation. The router performs Steps 2
through 5 for each packet.
This section contains the following topics:
• Configuring Static Inside Source Address Translation
• Verifying Static Inside Source Address Translation
Command Purpose
Step 1 hq-sanjose(config)# ip nat inside source static Establish static translation between an inside local
10.1.6.5 10.2.2.2 address and an inside global address. This example
translates inside local address 10.1.6.5 (the server) to
inside global address 10.2.2.2.
Step 2 hq-sanjose(config)# interface fastethernet 0/1 Specify the inside interface. This example specifies Fast
Ethernet interface 0/1 on the headquarters router.
Step 3 hq-sanjose(config-if)# ip nat inside Mark the interface as connected to the inside.
Step 4 hq-sanjose(config-if)# interface serial 2/0 Specify the outside interface. This example specifies
serial interface 2/0 on the headquarters router.
Step 5 hq-sanjose(config-if)# ip nat outside Mark the interface as connected to the outside.
Step 6 hq-sanjose(config-if)# exit Exit back to global configuration mode.
hq-sanjose(config)#
The previous steps are the minimum you must configure for static inside source address translation. You
could configure multiple inside and outside interfaces.
• Enter the show running-config EXEC command to see the inside and outside interfaces, global and
local address translations, and to confirm static translation is configured (display text has been
omitted from the following sample output for clarity).
hq-sanjose# show running-config
interface FastEthernet0/1
ip address 10.1.6.5 255.255.255.0
no ip directed-broadcast
ip nat inside
interface serial2/0
ip address 172.16.2.2 255.255.255.0
ip nat outside
Note You can configure a static crypto map, create a dynamic crypto map, or add a dynamic crypto map into
a static crypto map. Refer to the “Configuring Crypto Maps” section on page 3-24.
Optionally, you can configure CA interoperability. This guide does not explain how to configure CA
interoperability on your Cisco 7200 series router. Refer to the “IP Security and Encryption” part of the
Security Configuration Guide and the Cisco IOS Security Command Reference publication for detailed
information on configuring CA interoperabilty. See “Related Documentation” section on page xi for
additional information on how to access these publications.
Note This section only contains basic configuration information for enabling encryption and IPSec tunneling
services. Refer to the “IP Security and Encryption” part of the Cisco IOS Security Configuration
Guide and the Security Command Reference publications for detailed configuration information on
IPSec, IKE, and CA. See “Related Documentation” section on page xi for information on how to access
these publications.
Refer to the Integrated Service Adapter and Integrated Service Module Installation and Configuration
publication for detailed configuration information on the ISM.
Note The default policy and the default values for configured policies do not show up in the configuration
when you issue a show running-config EXEC command. Instead, to see the default policy and any
default values within configured policies, use the show crypto isakmp policy EXEC command.
This section contains basic steps to configure IKE policies and includes the following tasks:
• Creating IKE Policies
• Additional Configuration Required for IKE Policies
• Configuring Pre-shared Keys
Command Purpose
Step 1 hq-sanjose(config)# crypto isakmp policy 1 Enter config-isakmp command mode and identify the policy
to create. (Each policy is uniquely identified by the priority
number you assign.) This example configures policy 1.
Step 2 hq-sanjose(config)# cry isakmp keepalive 12 2 Optional step: Specify the time interval of IKE keepalive
packets (default is 10 seconds), and the retry interval when
the keepalive packet failed. This example configures the
keepalive interval for 12 seconds and the retry interval for 2
seconds.
Step 3 hq-sanjose(config-isakmp)# encryption des Specify the encryption algorithm—56-bit Data Encryption
Standard (DES [des]) or 168-bit Triple DES (3des). This
example configures the DES algorithm, which is the default.
Step 4 hq-sanjose(config-isakmp)# hash sha Specify the hash algorithm—Message Digest 5 (MD5
[md5]) or Secure Hash Algorithm (SHA [sha]). This
example configures SHA, which is the default.
Step 5 hq-sanjose(config-isakmp)# authentication Specify the authentication method—pre-shared keys
pre-share (pre-share), RSA1 encrypted nonces (rsa-encr), or RSA
signatures (rsa-slg). This example configures pre-shared
keys. The default is RSA signatures.
Step 6 hq-sanjose(config-isakmp)# group 1 Specify the Diffie-Hellman group identifier—768-bit
Diffie-Hellman (1) or 1024-bit Diffie-Hellman (2). This
example configures 768-bit Diffie-Hellman, which is the
default.
Step 7 hq-sanjose(config-isakmp)# lifetime 86400 Specify the security association’s lifetime—in seconds. This
example configures 86400 seconds (one day).
Step 8 hq-sanjose(config-isakmp)# exit Exit back to global configuration mode.
hq-sanjose(config)#
1. RSA = Rivest, Shamir, and Adelman.
The certificates are used by each peer to securely exchange public keys. (RSA signatures require
that each peer has the remote peer’s public signature key.) When both peers have valid certificates,
they will automatically exchange public keys with each other as part of any IKE negotiation in which
RSA signatures are used.
• RSA encrypted nonces method:
If you specify RSA encrypted nonces as the authentication method in a policy, you need to ensure
that each peer has the other peers’ public keys.
Unlike RSA signatures, the RSA encrypted nonces method does not use certificates to exchange
public keys. Instead, you ensure that each peer has the others’ public keys by doing the following:
– Manually configure RSA keys as described in the “Configuring Internet Key Exchange Security
Protocol” chapter of the Cisco IOS Security Configuration Guide.
– Ensure that an IKE exchange using RSA signatures has already occurred between the peers.
(The peers’ public keys are exchanged during the RSA-signatures-based IKE negotiations.)
To make this happen, specify two policies: a higher-priority policy with RSA encrypted nonces,
and a lower-priority policy with RSA signatures. When IKE negotiations occur, RSA signatures
will be used the first time because the peers do not yet have each others’ public keys. Then,
future IKE negotiations will be able to use RSA-encrypted nonces because the public keys will
have been exchanged.
Of course, this alternative requires that you have CA support configured.
• Pre-shared keys authentication method:
If you specify pre-shared keys as the authentication method in a policy, you must configure these
pre-shared keys as described in the “Configuring Pre-shared Keys” section on page 3-17.”
• Digital certificate authentication method:
If you specify digital certificates as the authentication method in a policy, the CA must be properly
configured to issue certificates. You must also configure the peers to obtain certificates from the CA.
Configure this certificate support as described in the “Configuring Certification Authority
Interoperability” chapter of the Cisco IOS Security Configuration Guide.
Digital certificates simplify authentication. You need only enroll each peer with the CA, rather than
manually configuring each peer to exchange keys. Cisco recommends using digital certificates in a
network of more than 50 peers.
If RSA encryption is configured and signature mode is negotiated, the peer will request both signature
and encryption keys. Basically, the router will request as many keys as the configuration will support. If
RSA encryption is not configured, it will just request a signature key.
Step 1 Set each peer ISAKMP identity. Each peer identity should be set to either its host name or by its IP
address. By default, a peer identity is set to its IP address.
Step 2 Specify the shared keys at each peer. Note that a given pre-shared key is shared between two peers. At
a given peer, you could specify the same key to share with multiple remote peers; however, a more secure
approach is to specify different keys to share between different pairs of peers.
Note The following procedure is based on the “Site-to-Site Scenario” section on page 3-2. However, the same
configuration commands can be used in an extranet scenario.
To specify pre-shared keys at a peer, complete the following steps in global configuration mode:
Command Purpose
Step 1 hq-sanjose(config)# crypto isakmp identity At the local peer: Specify the ISAKMP identity (address
address or hostname) the headquarters router will use when
communicating with the remote office router during IKE
negotiations. This example specifies the address
keyword, which uses IP address 172.17.2.4 (serial
interface 1/0 of the headquarters router) as the identity for
the headquarters router.
Step 2 hq-sanjose(config)# crypto isakmp key test12345 At the local peer: Specify the shared key the
address 172.24.2.5 headquarters router will use with the remote office router.
This example configures the shared key test12345 to be
used with the remote peer 172.24.2.5 (serial interface 1/0
on the remote office router).
Step 3 ro-rtp(config)# crypto isakmp identity address At the remote peer: Specify the ISAKMP identity
(address or hostname) the remote office router will use
when communicating with the headquarters router during
IKE negotiations. Again, this example specifies the
address keyword, which uses IP address 172.24.2.5
(serial interface 1/0 of the remote office router) as the
identity for the remote office router.
Step 4 ro-rtp(config)# crypto isakmp key test12345 At the remote peer: Specify the shared key to be used
address 172.17.2.4 with the local peer. This is the same key you just specified
at the local peer. This example configures the shared key
test12345 to be used with the local peer 172.17.2.4 (serial
interface 1/0 on the headquarters router).
Note Set an ISAKMP identity whenever you specify pre-shared keys. The address keyword is typically used
when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE
negotiations, and the IP address is known. Use the hostname keyword if there is more than one interface
on the peer that might be used for IKE negotiations, or if the interface IP address is unknown (such as
with dynamically-assigned IP addresses).
Configuring the Cisco 7200 Series Router for Digital Certificate Interoperability
To configure your Cisco 7200 series router to use digital certificates as the authentication method, use
the following steps, beginning in global configuration mode. This configuration assumes the use of the
IOS default ISAKMP policy, which uses DES, SHA, RSA signatures, Diffie-Hellman group 1, and a
lifetime of 86,400 seconds. Cisco recommends using 3DES. Refer to the “Creating IKE Policies” section
on page 3-16 for an ISAKMP configuration example which specifies 3DES as the encryption method.
Note This example only configures the head-end Cisco 7200 series router. Additionally, each peer must be
enrolled with a CA. This configuration example does not configure the CA. CA configuration
instructions should be obtained from your CA vendor.
Command Purpose
Step 1 hq-sanjose(config)# crypto ca identity name Declares a CA. The name should be the domain name of
the CA. This command puts you into the ca-identity
configuration mode.
Step 2 hq-sanjose(config)# enrollment url url Specifies the URL of the CA. (The URL should include
any nonstandard cgi-bin script location.)
Step 3 hq-sanjose(config)# enrollment mode ra (Optional) Specifies RA mode if your CA system provides
a registration authority (RA).
The Cisco IOS software automatically determines the
mode—RA or non-RA; therefore, if RA mode is used, this
subcommand is written to NVRAM during "write
memory."
Step 4 hq-sanjose(ca-identity)# query url url Specifies the location of the LDAP server if your CA
system provides an RA and supports the LDAP protocol.
Step 5 hq-sanjose(ca-identity)# enrollment retry period (Optional) Specifies that other peer certificates can still be
minutes accepted by your router even if the appropriate CRL is not
accessible to your router.
Step 6 hq-sanjose(ca-identity)# enrollment retry count (Optional) Specifies how many times the router will
number continue to send unsuccessful certificate requests before
giving up. By default, the router will never give up trying.
Step 7 hq-sanjose(ca-identity)# crl optional (Optional) Specifies that other peers certificates can still
be accepted by your router even if the appropriate CRL is
not accessible to your router.
Step 8 hq-sanjose(ca-identity)# exit Exits ca-identity configuration mode.
Note Although the above output shows “no volume limit” for the lifetime, you can currently only configure a
time lifetime (such as 86400 seconds); volume limit lifetimes are not configurable.
Tip If you have trouble, use the show version command to ensure your Cisco 7200 series router is running
a Cisco IOS software image that supports crypto.
ski03_7206#show version
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-JK9O3S-M), Version 12.3(3), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Mon 28-Jul-03 15:45 by dchih
Image text-base: 0x60008954, data-base: 0x6219E000
ROM: System Bootstrap, Version 12.1(20000710:044039) [nlaw-121E_npeb 117], DEVELOPMENT
SOFTWARE
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.1(8a)E, EARLY DEPLOYMENT RELEASE
SOFTWARE (fc1)
m5-7206 uptime is 0 minutes
System returned to ROM by reload at 22:20:24 UTC Wed Aug 13 2003
System image file is "tftp://17.8.16.70/images/c7200-jk9o3s-mz.123-3"
Last reload reason: Reload command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco 7206VXR (NPE400) processor (revision A) with 229376K/32768K bytes of memory.
Processor board ID 21281666
R7000 CPU at 350Mhz, Implementation 39, Rev 3.2, 256KB L2, 4096KB L3 Cache
6 slot VXR midplane, Version 2.1
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
PCI bus mb0_mb1 has 640 bandwidth points
PCI bus mb2 has 270 bandwidth points
WARNING: PCI bus mb0_mb1 Exceeds 600 bandwidth points
4 Ethernet/IEEE 802.3 interface(s)
2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
1 ATM network interface(s)
1 Integrated service adapter(s)
125K bytes of non-volatile configuration memory.
125440K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x0
Step 1 Set each peer Internet Security Association & Key Management Protocol (ISAKMP) identity. Each peer
identity should be set to either its host name or by its IP address. By default, a peer identity is set to its
IP address. In this scenario, you only need to complete this task at the business partner router.
Step 2 Specify the shared keys at each peer. Note that a given pre-shared key is shared between two peers. At
a given peer, you could specify the same key to share with multiple remote peers; however, a more secure
approach is to specify different keys to share between different pairs of peers.
Note The following procedure is based on the “Extranet Scenario” section on page 3-4.
To configure a different pre-shared key for use between the headquarters router and the business partner
router, complete the following steps in global configuration mode:
Command Purpose
Step 1 hq-sanjose(config)# crypto isakmp key test67890 At the local peer: Specify the shared key the headquarters
address 172.23.2.7 router will use with the business partner router. This
example configures the shared key test67890 to be used
with the remote peer 172.23.2.7 (serial interface 1/0 on the
business partner router).
Step 2 bus-ptnr(config)# crypto isakmp identity address At the remote peer: Specify the ISAKMP identity
(address or hostname) the business partner router will use
when communicating with the headquarters router during
IKE negotiations. (This task was already completed on the
headquarters router when policy 1 was configured in the
“Configuring IKE Policies” section on page 3-15.) This
example specifies the address keyword, which uses IP
address 172.23.2.7 (serial interface 1/0 of the business
partner router) as the identity for the business partner
router.
Step 3 bus-ptnr(config)# crypto isakmp key test67890 At the remote peer: Specify the shared key to be used
address 172.17.2.4 with the local peer. This is the same key you just specified
at the local peer. This example configures the shared key
test67890 to be used with the local peer 172.16.2.2 (serial
interface 2/0 on the headquarters router).
Note Set an ISAKMP identity whenever you specify pre-shared keys. The address keyword is typically used
when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE
negotiations, and the IP address is known. Use the hostname keyword if there is more than one interface
on the peer that might be used for IKE negotiations, or if the interface IP address is unknown (such as
with dynamically-assigned IP addresses).
Note IKE uses User Datagram Protocol (UDP) port 500. The IPSec encapsulating security payload (ESP) and
authentication header (AH) protocols use IP protocol numbers 50 and 51. Ensure that your access lists
are configured so that IP protocol 50, 51, and UDP port 500 traffic is not blocked at interfaces used by
IPSec. In some cases, you might need to add a statement to your access lists to explicitly permit this
traffic. Crypto access lists use the same format as standard access lists. However, the permit command
instructs the router to encrypt data, and the deny command instructs the router to allow unencrypted
data.
Command Purpose
hq-sanjose(config)# access-list 111 permit Specify conditions to determine which IP packets are protected.1 (Enable
ip host 10.2.2.2 host 10.1.5.3 or disable crypto for traffic that matches these conditions.) This example
configures access list 111 to encrypt all IP traffic between the
headquarters server (translated inside global IP address 10.2.2.2) and
PC B (IP address 10.1.5.3) in the business partner office.
We recommend that you configure “mirror image” crypto access lists for
use by IPSec and that you avoid using the any keyword.
1. You specify conditions using an IP access list designated by either a number or a name. The access-list command designates a numbered extended access
list; the ip access-list extended command designates a named access list.
Tip If you have trouble, make sure you are specifying the correct access list number.
Command Purpose
Step 1 hq-sanjose(config)# crypto ipsec transform-set Define a transform set and enter crypto-transform
proposal4 ah-sha-hmac esp-des configuration mode. This example combines AH1
transform ah-sha-hmac, ESP2 encryption transform
esp-des, and ESP authentication transform esp-sha-hmac
in the transform set proposal4.
There are complex rules defining which entries you can
use for the transform arguments. These rules are
explained in the command description for the crypto
ipsec transform-set command. You can also use the
crypto ipsec transform-set? command, in global
configuration mode, to view the available transform
arguments.
Step 2 hq-sanjose(cfg-crypto-trans)# mode tunnel Change the mode associated with the transform set. The
mode setting is only applicable to traffic whose source
and destination addresses are the IPSec peer addresses; it
is ignored for all other traffic. (All other traffic is in tunnel
mode only.) This example configures tunnel mode for the
transport set proposal4, which creates an IPSec tunnel
between the IPSec peer addresses.
Step 3 hq-sanjose(cfg-crypto-trans)# exit Exit back to global configuration mode.
hq-sanjose(config)#
1. AH = authentication header. This header, when added to an IP datagram, ensures the integrity and authenticity of the data, including the
invariant fields in the outer IP header. It does not provide confidentiality protection. AH uses a keyed-hash function rather than digital
signatures.
2. ESP = encapsulating security payload. This header, when added to an IP datagram, protects the confidentiality, integrity, and authenticity of
the data. If ESP is used to validate data integrity, it does not include the invariant fields in the IP header.
Note AH and ESP can be used independently or together, although for most applications just one of them is
sufficient. For both of these protocols, IPSec does not define the specific security algorithms to use, but
rather, provides an open framework for implementing industry-standard algorithms.
Command Purpose
Step 1 hq-sanjose(config)# crypto map s4second Create the crypto map and specify a local address
local-address serial 2/0 (physical interface) to be used for the IPSec traffic. This
example creates crypto map s4second and specifies serial
interface 2/0 of the headquarters router as the local
address. This step is only required if you have previously
used the loopback command or if you are using GRE
tunnels.
Step 2 hq-sanjose(config)# crypto map s4second 2 Enter crypto map configuration mode, specify a sequence
ipsec-isakmp number for the crypto map you created in Step 1, and
configure the crypto map to use IKE to establish SAs.
This example configures sequence number 2 and IKE for
crypto map s4second.
Step 3 hq-sanjose(config-crypto-map)# match address 111 Specify an extended access list. This access list
determines which traffic is protected by IPSec and which
traffic is not be protected by IPSec. This example
configures access list 111, which was created in the
“Creating Crypto Access Lists” section on page 3-22.
Step 4 hq-sanjose(config-crypto-map)# set peer Specify a remote IPSec peer (by host name or IP address).
172.23.2.7 This is the peer to which IPSec protected traffic can be
forwarded. This example specifies serial interface 1/0
(172.23.2.7) on the business partner router.
Step 5 hq-sanjose(config-crypto-map)# set transform-set Specify which transform sets are allowed for this crypto
proposal4 map entry. List multiple transform sets in order of priority
(highest priority first). This example specifies transform
set proposal4, which was configured in the “Defining
Transform Sets and Configuring IPSec Tunnel Mode”
section on page 3-23.
Step 6 hq-sanjose(config-crypto-map)# exit Exit back to global configuration mode.
hq-sanjose(config)#
To create dynamic crypto map entries that will use IKE to establish the SAs, complete the following
steps, starting in global configuration mode:
Command Purpose
Step 1 hq-sanjose(config)# crypto dynamic-map Creates a dynamic crypto map entry.
dynamic-map-name dynamic-seq-num
Command Purpose
Step 2 hq-sanjose(config)# set transform-set Specifies which transform sets are allowed for the crypto
transform-set-name1 map entry. List multiple transform sets in order of priority
[transform-set-name2...transform-set-name6]
(highest priority first).
This is the only configuration statement required in
dynamic crypto map entries.
Step 3 hq-sanjose(config-crypto-map)# match address (Optional) Accesses list number or name of an extended
access-list-id access list. This access list determines which traffic should
be protected by IPSec and which traffic should not be
protected by IPSec security in the context of this crypto
map entry.
Note Although access-lists are optional for dynamic
crypto maps, they are highly recommended.
Tip If you have trouble, make sure you are using the correct IP addresses.
Command Purpose
Step 1 hq-sanjose(config)# interface serial 2/0 Specify a physical interface on which to apply the crypto
map and enter interface configuration mode. This example
specifies serial interface 2/0 on the headquarters router.
Step 2 hq-sanjose(config-if)# crypto map s4second Apply the crypto map set to the physical interface. This
example configures crypto map s4second, which was
created in the “Creating Crypto Map Entries” section on
page 3-25.
Step 3 hq-sanjose(config-if)# exit Exit back to global configuration mode.
hq-sanjose(config)#
Step 4 hq-sanjose# clear crypto sa In privileged EXEC mode, clear the existing IPSec SAs so
that any changes are used immediately. (Manually
established SAs are reestablished immediately.)
Note Using the clear crypto sa command without
parameters clears out the full SA database, which
clears out active security sessions. You may also
specify the peer, map, or entry keywords to clear
out only a subset of the SA database.
Cisco IOS QoS service models, features, and sample configurations are explained in detail in the Quality
of Service Solutions Configuration Guide and the Quality of Service Solutions Command Reference.
Refer to these two publications as you plan and implement a QoS strategy for your VPN, because there
are various QoS service models and features that you can implement on your VPN. See “Related
Documentation” section on page xi for information on how to access these publications.
This section contains basic steps to configure QoS weighted fair queuing (WFQ), which applies priority
(or weights) to identified traffic on the GRE tunnel you configured in the “Step 1—Configuring the
Tunnel” section on page 3-6. This section also contains basic steps to configure Network-Based
Application Recognition (NBAR), which is a classification engine that recognizes a wide variety of
applications, including web-based and other protocols that utilize dynamic TCP/UDP port assignments.
This section includes the following topics:
• Configuring Network-Based Application Recognition
• Configuring Weighted Fair Queuing
• Verifying Weighted Fair Queuing
• Configuring Class-Based Weighted Fair Queuing
• Verifying Class-Based Weighted Fair Queuing
Note You must enable Cisco Express Forwarding (CEF) before you configure NBAR. For more information
on CEF, refer to the Cisco IOS Release 12.0 configuration guide titled Cisco IOS Switching Services
Configuration Guide.
Command Purpose
Step 1 Router(config)# class-map match-all | match-any Specifies the user-defined name of the class map. The
class-name match-all option specifies that all match criteria in the
class map must be matched. The match-any option
specifies that one or more match criteria must match.1
Step 2 Router(config-cmap)# match protocol protocol-name Specifies a protocol supported by NBAR as a matching
criteria.
Step 3 Router(config-cmap)# match class-map class-name Specifies a class map as a matching criteria (nested class
maps).
1. When neither match-all nor match-any is specified, the default is match-all. Use the no class-map command to disable the class map. Use
the no match-all and no match-any commands to disable these commands within the class map. Use the match not command to configure
a match that evaluates to true if the packet does not match the specified protocol.
Command Purpose
Step 1 Router(config)# policy-map policy-name User specified policy map name.
Step 2 Router(config-pmap)# class class-name Specifies the name of a previously defined class map.
Step 3 Router(config-pmap-c)# bandwidth kbps Specifies a minimum bandwidth guarantee to a traffic
class.
Step 4 Router(config-pmap-c)# police bps conform Specifies a maximum bandwidth usage by a traffic class.
transmit exceed drop
Step 5 Router(config-pmap-c)# set ip precedence {0-7} Specifies the IP precedence of packets within a traffic
class.
Step 6 outer(config-pmap-c)# set qos-group {0-99} Specifies a QoS-group value to associate with the packet.
Step 7 Router(config-pmap-c)# random-detect Enables weighted random early detection (WRED) drop
policy for a traffic class which has a bandwidth guarantee.
Step 8 Router(config-pmap-c)# queue-limit packets Specifies maximum number of packets queued for a
traffic class (in the absence of random-detect).
Use the no policy-map command to deconfigure the policy map. Use the no bandwidth, no police,
no set, and no random-detect commands to disable these commands within the policy map.
Command Purpose
Step 1 Router(config-if)# service-policy output Specifies the name of the policy map to be attached to the
policy-map-name output direction of the interface.
Step 2 Router(config-if)# service-policy input Specifies the name of the policy map to be attached to the
policy-map-name input direction of the interface.
Use the no service-policy [input | output] policy-map-name command to detach a policy map from an
interface.
Command Purpose
Router# show policy-map Displays all configured policy maps.
Router# show policy-map policy-map-name Displays the user-specified policy map.
Router# show policy-map interface Displays statistics and configurations of all input and output
policies, which are attached to an interface.
Router# show policy-map interface-spec Displays configuration and statistics of the input and output
policies attached to a particular interface.
Router# show policy-map interface-spec[input] Displays configuration and statistics of the input policy
attached to an interface.
Router# show policy-map interface-spec[output] Displays configuration statistics of the output policy attached
to an interface.
Router# show policy-map interface-spec[input|output] Displays the configuration and statistics for the class name
class class-name configured in the policy.
Command Purpose
Step 1 hq-sanjose(config)# interface serial 1/0 Specify an interface and enter interface configuration
mode. This example specifies serial interface 1/0 on the
headquarters router.
Step 2 hq-sanjose(config-if)# fair-queue Configure fair queuing on the interface.
Step 3 hq-sanjose(config-if)# exit Exit back to global configuration mode.
hq-sanjose(config)#
• Enter the show interfaces serial 1/0 EXEC command to verify the queuing for the interface is WFQ.
hq-sanjose# show interfaces serial 1/0
Serial1/0 is up, line protocol is up
Hardware is M2T-T3 pa
Note Although CBWFQ supports the use of WRED, this guide does not include WRED configuration
procedures. For more information on using WRED with CBWFQ, refer to the Cisco IOS Release 12.2
Configuration Guide Master Index.
If a default class is configured, all unclassified traffic is treated as belonging to the default class. If no
default class is configured, then by default the traffic that does not match any of the configured classes
is flow classified and given best-effort treatment. Once a packet is classified, all of the standard
mechanisms that can be used to differentiate service among the classes apply.
Flow classification is standard WFQ treatment. That is, packets with the same source IP address,
destination IP address, source Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
port, or destination TCP or UDP port are classified as belonging to the same flow. WFQ allocates an
equal share of bandwidth to each flow. Flow-based WFQ is also called fair queueing because all flows
are equally weighted.
For CBWFQ, which extends the standard WFQ, the weight specified for the class becomes the weight
of each packet that meets the match criteria of the class. Packets that arrive at the output interface are
classified according to the match criteria filters you define, then each one is assigned the appropriate
weight.
The weight for a packet belonging to a specific class is derived from the bandwidth you assigned to the
class when you configured it; in this sense the weight for a class is user-configurable.
After a packet's weight is assigned, the packet is enqueued in the appropriate class queue. CBWFQ uses
the weights assigned to the queued packets to ensure that the class queue is serviced fairly.
The following tasks are required to configure CBWFQ:
• Defining a Class Map
• Configuring Class Policy in the Policy Map (Tail Drop)
• Attaching the Service Policy and Enabling CBWFQ
Note Attaching a service policy to an interface disables WFQ on that interface if WFQ is configured for the
interface. For this reason, you should ensure that WFQ is not enabled on such an interface. For additional
information on WFQ, see the "Configuring Weighted Fair Queueing" chapter of the Cisco IOS Release
12.0 Quality of Service Solutions Configuration Guide.
Command Purpose
Step 1 hq-sanjose(config)# class-map class-map-name Specifies the name of the class map to be created.
Step 2 hq-sanjose(config-cmap)# match access-group Specifies the name of the numbered ACL against whose
access-group contents packets are checked to determine if they belong
to the class.
Step 3 hq-sanjose(config-cmap)# match input-interface Specifies the name of the output interface used as a match
interface-name criterion against which packets are checked to determine
if they belong to the class.
Step 4 hq-sanjose(config-cmap)# match protocol protocol Specifies the name of the protocol used as a match
criterion against which packets are checked to determine
if they belong to the class.
Command Purpose
Step 1 hq-sanjose(config)# policy-map policy-map Specifies the name of the policy map to be created or
modified.
Step 2 hq-sanjose(config-pmap)# class class-name Specifies the name of a class to be created and included
in the service policy.
Step 3 hq-sanjose(config-pmap-c)# bandwidth Specifies the amount of bandwidth in kilobits per second
bandwidth-kbps (kbps) to be assigned to the class.
Step 4 hq-sanjose(config-pmap-c)# queue-limit Specifies the maximum number of packets that can be
number-of-packets enqueued for the class.
Step 5 hq-sanjose(config-pmap)# class class-default Specifies the default class in order to configure its policy.
default-class-name
Step 6 hq-sanjose(config-pmap-c)# bandwidth Specifies the amount of bandwidth in kilobits per second
bandwidth-kbps to be assigned to the default class.
Step 7 hq-sanjose(config-pmap-c)# queue-limit Specifies the maximum number of packets that can be
number-of-packets enqueued for the specified default class.
Command Purpose
hq-sanjose(config-if)# service-policy output policy-map Enables CBWFQ and attaches the specified service policy
map to the output interface.
Note When CBWFQ is enabled, all classes configured as part of the service policy map are installed in the
fair queueing system.
Command Purpose
hq-sanjose# show policy policy-map Displays the configuration of all classes comprising the specified policy
map.
hq-sanjose# show policy policy-map class Displays the configuration of the specified class of the specified policy
class-name map.
hq-sanjose# show policy interface Displays the configuration of all classes configured for all policy maps
interface-name on the specified interface.
Note The Cisco Secure PIX Firewall can be used as an alternative to Cisco IOS firewall features. For detailed
information on the Cisco Secure PIX Firewall, refer to the Cisco Secure PIX Firewall documentation.
Note Although Cisco 7200 series routers support intrusion detection features, intrusion detection
configuration procedures are not explained in this guide. For detailed information on intrusion detection,
refer to the Intrusion Detection Planning Guide.
You can use Cisco IOS firewall features to configure your Cisco IOS router as:
• An Internet firewall or part of an Internet firewall
• A firewall between groups in your internal network
• A firewall providing secure connections to or from branch offices
• A firewall between your company network and your company partners networks
Cisco IOS firewall features provide the following benefits:
• Protects internal networks from intrusion
• Monitors traffic through network perimeters
• Enables network commerce using the World Wide Web
At a minimum, you must configure basic traffic filtering to provide a basic firewall. You can configure
your Cisco 7200 series router to function as a firewall by using the following Cisco IOS security features:
• Static access lists and static or dynamic extended access lists
• Lock-and-key (dynamic extended access lists)
Note Refer to the “Traffic Filtering and Firewalls” part of the Cisco IOS Security Configuration Guide and
the Cisco IOS Security Command Reference for advanced firewall configuration information. For
information on how to access these documents, see “Related Documentation” section on page xi.
This section explains how to configure an extended access list, which is a sequential collection of permit
and deny conditions that apply to an IP address.
This section includes the following topics:
• Creating Extended Access Lists Using Access List Numbers
• Verifying Extended Access Lists
• Applying Access Lists to Interfaces
• Verifying Extended Access Lists Are Applied Correctly
Note The extended access list configuration explained in this section is different from the crypto access list
configuration explained in the “Creating Crypto Access Lists” section on page 3-22. Crypto access lists
are used to define which IP traffic is or is not protected by crypto, while an extended access list is used
to determine which IP traffic to forward or block at an interface.
The simplest connectivity to the Internet is to use a single device to provide the connectivity and firewall
function to the Internet. With everything being in a single device, it is easy to address translation and
termination of the VPN tunnels. Complexity arises when you need to add extra Cisco 7200 series routers
to the network. This normally leads people into building a network where the corporate network touches
the Internet through a network called the DMZ, or demilitarized zone.
Command Purpose
Step 1 hq-sanjose(config)# access-list 102 deny tcp any Define access list 102 and configure the access list to deny
any all TCP traffic.
Command Purpose
Step 2 hq-sanjose(config)# access-list 102 deny udp any Configure access list 102 to deny all UDP traffic.
any
Step 3 hq-sanjose(config)# access-list 102 permit ip Configure access list 102 to permit all IP traffic.
any any
Command Purpose
Step 1 hq-sanjose(config)# interface serial 1/0 Specify serial interface 1/0 on the headquarters router and
enter interface configuration mode.
Step 2 hq-sanjose(config-if)# ip access-group 102 in Configure access list 102 inbound on serial interface 1/0
on the headquarters router.
Step 3 hq-sanjose(config-if)# ip access-group 102 out Configure access list 102 outbound on serial interface 1/0
on the headquarters router.
Step 4 hq-sanjose(config-if)# exit Exit back to global configuration mode.
hq-sanjose(config)#
For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of
the packet against the access list. If the access list permits the address, the software continues to process
the packet. If the access list rejects the address, the software discards the packet and returns an “icmp
host unreachable” message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software
checks the destination address of the packet against the access list. If the access list permits the address,
the software transmits the packet. If the access list rejects the address, the software discards the packet
and returns an “ICMP Host Unreachable” message.
When you apply an access list that has not yet been defined to an interface, the software acts as if the
access list has not been applied to the interface and will accept all packets. Be aware of this behavior if
you use undefined access lists as a means of security in your network.
Tip If you have trouble, ensure that you specified the correct interface when you applied the access list.
Site-to-Site Scenario
The following sample configuration is based on the physical elements shown in Figure 3-8:
10.1.6.4/24
Private
PC A
corporate
Public 10.1.4.3/24
server
10.1.3.6/24 Web server
10.1.6.5/24
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hq-sanjose
!
boot system flash bootflash:
boot bootldr bootflash:c7200-jk9o3s-mz.123-3
boot config slot0:hq-sanjose-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.24.2.5
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
mode transport
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
set peer 172.24.2.5
set transform-set proposal1
match address 101
!
interface Tunnel0
bandwidth 180
ip address 172.17.3.3 255.255.255.0
no ip directed-broadcast
tunnel source 172.17.2.4
tunnel destination 172.24.2.5
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.3.3 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.6.4 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.17.2.4 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.4.0 255.255.255.0 Tunnel0
!
access-list 101 permit gre host 172.17.2.4 host 172.24.2.5
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ro-rtp
!
boot system flash bootflash:
boot bootldr bootflash:c7200-jk9o3s-mz.123-3
boot config slot0:ro-rtp-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.17.2.4
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
mode transport
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
set peer 172.17.2.4
set transform-set proposal1
match address 101
!
interface Tunnel1
bandwidth 180
ip address 172.24.3.6 255.255.255.0
no ip directed-broadcast
tunnel source 172.24.2.5
tunnel destination 172.17.2.4
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.4.2 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.24.2.5 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.3.0 255.255.255.0 Tunnel1
ip route 10.1.6.0 255.255.255.0 Tunnel1
!
access-list 101 permit gre host 172.24.2.5 host 172.17.2.4
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Extranet Scenario
The following sample configuration is based on the physical elements shown in Figure 3-9:
Headquarters gateway
(hq-sanjose)
PC A
Private
corporate
server Public IPSec tunnel
10.1.3.6/24 Web server Business partner gateway
10.1.6.5/24 (bus-ptnr)
Internet
Fast Ethernet
Serial 1/0 0/0
172.23.2.7/24 10.1.5.2/24
24218
PC B
10.1.5.3/24
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hq-sanjose
!
boot system flash bootflash:
boot bootldr bootflash:c7200-jk9o3s-mz.123-3
boot config slot0:hq-sanjose-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.24.2.5
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s4second
!
router bgp 10
network 10.2.2.2 mask 255.255.255.0
network 172.16.2.0 mask 255.255.255.0
!
ip route 10.1.4.0 255.255.255.0 Tunnel0
!
ip nat inside source static 10.1.6.5 10.2.2.2
!
access-list 101 permit gre host 172.17.2.4 host 172.24.2.5
access-list 111 permit ip host 10.2.2.2 host 10.1.5.3
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname bus-ptnr
!
boot system flash bootflash:
boot bootldr bootflash:c7200-jk9o3s-mz.123-3
boot config slot0:bus-ptnr-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test67890 address 172.16.2.2
!
crypto ipsec transform-set proposal4 ah-sha-hmac esp-des esp-sha-hmac
!
!
crypto map s4second local-address Serial1/0
crypto map s4second 2 ipsec-isakmp
set peer 172.16.2.2
set transform-set proposal4
match address 111
!
interface FastEthernet0/0
ip address 10.1.5.2 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.23.2.7 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s4second
!
router bgp 10
network 10.1.5.0 mask 255.255.255.0
network 172.16.2.0 mask 255.255.255.0
!
access-list 111 permit ip host 10.1.5.3 host 10.2.2.2
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
This chapter explains the basic tasks for configuring an IP-based, remote access Virtual Private Network
(VPN) on a Cisco 7200 series router. In the remote access VPN business scenario, a remote user running
VPN client software on a PC establishes a connection to the headquarters Cisco 7200 series router.
The configurations in this chapter utilize a Cisco 7200 series router. If you have a Cisco 2600 series
router or a Cisco 3600 series router, your configurations will differ slightly, most notably in the port slot
numbering. Please refer to your model configuration guide for detailed configuration information. Please
refer to the “Obtaining Documentation” section on page xii for instructions about locating product
documentation.
Note In this Guide, the term ‘Cisco 7200 series router’ implies that an Integrated Service Adaptor (ISA) or a
VAM (VAM, VAM2, or VAM2+) is installed in the Cisco 7200 series router.
This chapter describes basic features and configurations used in a remote access VPN scenario. Some
Cisco IOS security software features not described in this document can be used to increase performance
and scalability of your VPN. For up-to-date Cisco IOS security software features documentation, refer
to the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference for your
Cisco IOS Release. To access these documents, see “Related Documentation” section on page xi.
This chapter includes the following sections:
• Scenario Description, page 4-2
• Configuring a Cisco IOS VPN Gateway for Use with Cisco Secure VPN Client Software, page 4-3
• Configuring a Cisco IOS VPN Gateway for Use with Microsoft Dial-Up Networking, page 4-3
• Configuring Cisco IOS Firewall Authentication Proxy, page 4-8
• Comprehensive Configuration Examples, page 4-11
Note Throughout this chapter, there are numerous configuration examples and sample configuration outputs
that include unusable IP addresses. Be sure to use your own IP addresses when configuring your Cisco
7200 series router.
Scenario Description
Figure 4-1 shows a headquarters network providing a remote user access to the corporate intranet. In this
scenario, the headquarters and remote user are connected through a secure tunnel that is established over
an IP infrastructure (the Internet). The remote user is able to access internal, private web pages and
perform various IP-based network tasks.
Headquarters gateway
(hq-sanjose) Remote user
Secure tunnel
Corporate Internet
Intranet
Serial line Serial line
32412
Figure 4-2 shows the physical elements of the scenario. The Internet provides the core interconnecting
fabric between the headquarters and remote user. The headquarters is using a Cisco IOS VPN gateway
(Cisco 7200 series with an Integrated Service Adaptor (ISA) or VAM, a Cisco 2600 seriesrouter or a
3600 series router), and the remote user is running VPN client software on a PC.
The tunnel is configured on the first serial interface in chassis slot 1 (serial 1/0) of the headquarters and
remote office routers. Fast Ethernet interface 0/0 of the headquarters router is connected to a corporate
server and Fast Ethernet interface 0/1 is connected to a web server.
Headquarters gateway
(hq-sanjose)
Fast Ethernet
0/0 Secure tunnel
10.1.3.3/24
Internet
Serial 1/0
Fast Ethernet 172.17.2.4/24
0/1 Remote user running VPN
10.1.6.4/24 client software on a PC
Private
corporate
server Public
32413
The configuration steps in the following sections are for the headquarters router. Comprehensive
configuration examples for the headquarters router are provided in the “Comprehensive Configuration
Examples” section on page 4-11. Table 4-1 lists the physical elements of the scenario.
Note PPTP/MPPE is built into Windows DUN1.2 and above. However, 128-bit encryption and stateless
(historyless) MPPE is only supported in Windows DUN1.3 or later versions. PPTP/MPPE only supports
Cisco Express Forwarding (CEF) and process switching. Regular fast switching is not supported.
Alternatively, a remote user with client software bundled into Microsoft Windows 2000 can use Layer 2
Tunneling Protocol (L2TP) with IPSec to access the corporate headquarters network through a secure
tunnel.
Because L2TP is a standard protocol, enterprises can enjoy a wide range of service offerings available
from multiple vendors. L2TP implementation is a solution that provides a flexible, scalable remote
network access environment without compromising corporate security or endangering mission-critical
applications.
Configuring PPTP/MPPE
PPTP is a network protocol that enables the secure transfer of data from a remote client to a private
enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand,
multiprotocol, virtual private networking over public networks, such as the Internet.
MPPE is an encryption technology developed by Microsoft to encrypt point-to-point links. These PPP
connections can be over a dialup line or over a VPN tunnel. MPPE works as a subfeature of Microsoft
Point-to-Point Compression (MPPC).
MPPE uses the RC4 algorithm with either 40- or 128-bit keys. All keys are derived from the cleartext
authentication password of the user. RC4 is stream cipher; therefore, the sizes of the encrypted and
decrypted frames are the same size as the original frame. The Cisco implementation of MPPE is fully
interoperable with that of Microsoft and uses all available options, including historyless mode.
Historyless mode can increase throughput in high-loss environments such as VPNs.
Note The VAM, available on Cisco 7200 series routers, does not support MPPE.
Note Windows clients must use Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
authentication for MPPE to work. If you are performing mutual authentication with MS-CHAP and
MPPE, both sides of the tunnel must use the same password.
This section contains basic steps to configure PPTP/MPPE and includes the following tasks:
• Configuring a Virtual Template for Dial-In Sessions
• Configuring PPTP
• Configuring MPPE
Command Purpose
Step 1 hq-sanjose(config)# interface virtual-template Creates the virtual template that is used to clone
number virtual-access interfaces.
Step 2 hq-sanjose(config-if)# ip unnumbered Specifies the IP address of the interface the
interface-type number virtual-access interfaces uses.
Step 3 hq-sanjose(config-if)# ppp authentication ms-chap Enables MS-CHAP authentication using the local
username database. All windows clients using MPPE
need to use MS-CHAP.
Step 4 hq-sanjose(config-if)# ip local pool default Configures the default local pool of IP addresses that
first-ip-address last-ip-address will be used by clients.
Step 5 hq-sanjose(config-if)# peer default ip address Returns an IP address from the default pool to the
pool {default|name} client.
Step 6 hq-sanjose(config-if)# ip mroute-cache Disables fast switching of IP multicast.
Step 7 hq-sanjose(config-if)# ppp encrypt mppe {auto | 40 (Optional) Enables MPPE encryption on the virtual
| 128} [passive | required] [stateful] template1 if you are using an ISA with Cisco 7200
series router, see the “Configuring MPPE” section on
page 4-6.
Note The VAM, available on Cisco 7200 series
routers, does not support MPPE.
1. Stateful MPPE encryption changes the key every 255 packets. Stateless (historyless) MPPE encryption generates a new key for every packet.
Stateless MPPE is only supported in recent versions of Dial-Up Networking (DUN1.3).
Configuring PPTP
To configure a Cisco 7200 series router to accept tunneled PPP connections from a client, use the
following commands beginning in global configuration mode:
Command Purpose
Step 1 hq-sanjose(config)# vpdn-enable Enables virtual private dialup networking on the router.
Step 2 hq-sanjose(config)# vpdn-group 1 Creates VPDN group 1.
Step 3 hq-sanjose(config-vpdn)# accept dialin Enables the tunnel server to accept dial-in requests.
Step 4 hq-sanjose(config-vpdn-acc-in)# protocol pptp Specifies that the tunneling protocol will be PPTP.
Step 5 hq-sanjose(config-vpdn-acc-in)# Specifies the number of the virtual template that will be used
virtual-template template-number to clone the virtual-access interface.
Step 6 hq-sanjose(config-vpdn-acc-in)# exit (Optional) Specifies that the tunnel server will identify itself
hq-sanjose(config-vpdn)# local name localname with this local name.
If no local name is specified, the tunnel server will identify
itself with its host name.
Configuring MPPE
Note The VPN Acceleration Module (VAM) card does not support MPPE.
To configure MPPE on your Cisco 7200 series router (with an ISA), use the following commands
beginning in global configuration mode:
Command Purpose
Step 1 hq-sanjose(config)# controller isa slot/port Enter controller configuration mode on the ISM card.
Step 2 hq-sanjose(config-controller)# encryption mppe Enables MPPE encryption.
Verifying PPTP/MPPE
After you complete a connection, enter the show vpdn tunnel command or the show vpdn session
command to verify your PPTP and MPPE configuration.The following example contains typical output:
hq-sanjose# show vpdn tunnel | show vpdn session
PPTP Tunnel Information (Total tunnels=1 sessions=1)
Configuring L2TP/IPSec
L2TP is an extension of the Point-to-Point (PPP) Protocol and is often a fundamental building block for
VPNs. L2TP merges the best features of two other tunneling protocols: Layer 2 Forwarding (L2F) from
Cisco Systems and PPTP from Microsoft. L2TP is an Internet Engineering Task Force (IETF) emerging
standard.
Note For information on IPSec, see the “Step 3—Configuring Encryption and IPSec” section on page 3-13.
This section contains basic steps to configure L2TP/IPSec and includes the following tasks:
• Configuring a Virtual Template for Dial-In Sessions
• Configuring L2TP
• Configuring Encryption and IPSec
Note When configuring a virtual template for use with L2TP/IPSec, do not enable MPPE.
Configuring L2TP
To configure a Cisco 7200 series router to accept tunneled L2TP connections from a client, use the
following commands beginning in global configuration mode:
Command Purpose
Step 1 hq-sanjose(config)# vpdn-enable Enables virtual private dialup networking on the router.
Step 2 hq-sanjose(config)# vpdn-group 1 Creates VPDN group 1.
Step 3 hq-sanjose(config-vpdn)# accept dialin Enables the tunnel server to accept dial-in requests.
Step 4 hq-sanjose(config-vpdn-acc-in)# protocol l2tp Specifies that the tunneling protocol will be L2TP.
Step 5 hq-sanjose(config-vpdn-acc-in)# Specifies the number of the virtual template that will be used
virtual-template template-number to clone the virtual-access interface.
Step 6 hq-sanjose(config-vpdn-acc-in)# exit (Optional) Specifies that the tunnel server will identify itself
hq-sanjose(config-vpdn)# local name localname with this local name.
If no local name is specified, the tunnel server will identify
itself with its host name.
Verifying L2TP
Enter the show vpdn tunnel command to verify your LT2P configuration.
hq-sanjose# show vpdn tunnel
L2TP Tunnel and Session Information (Total tunnels=5 sessions=5)
Note When using IPSec with L2TP, do not configure IPSec tunnel mode.
Note Although the configuration instructions in the listed sections refer to the “Extranet Scenario” section on
page 3-4, the same configuration instructions apply to the remote access scenario described in the
“Scenario Description” section on page 4-2.
Command Purpose
Step 1 hq-sanjose(config)# aaa new-model Enables the AAA functionality on the router.
Step 2 hq-sanjose(config)# aaa authentication login Defines the list of authentication methods at login.
default TACACS+ RADIUS
Step 3 hq-sanjose(config)# aaa authorization Enables authentication proxy for AAA methods.
auth-proxy default [method1 [method2...]]
Step 4 hq-sanjose(config)# tacacs-server host Specifies an AAA server. For RADIUS servers, use the radius
hostname server host command.
Step 5 hq-sanjose(config)# tacacs-server key sting Sets the authentication and encryption key for communications
between the router and the AAA server. For RADIUS servers
use the radiusserverkey command.
Command Purpose
Step 6 hq-sanjose(config)# access-list Creates an ACL entry to allow the AAA server return traffic to
access-list-number permit tcp host source eq the firewall. The source address is the IP address of the AAA
tacacs host destination
server, and the destination address is the IP address of the
router interface where the AAA server resides.
In addition to configuring AAA on the firewall router, the authentication proxy requires a per-user access
profile configuration on the AAA server. To support the authentication proxy, configure the AAA
authorization service “auth-proxy” on the AAA server as outlined here:
• Define a separate section of authorization for auth-proxy to specify the downloadable user profiles.
This does not interfere with other types of service, such as EXEC. The following example shows a
user profile on a TACACS server:
default authorization = permit
key = cisco
user = newuser1 {
login = cleartext cisco
service = auth-proxy
{
priv-lvl=15
proxyacl#1="permit tcp any any eq 26"
proxyacl#2="permit icmp any host 60.0.0.2”
proxyacl#3="permit tcp any any eq ftp"
proxyacl#4="permit tcp any any eq ftp-data"
proxyacl#5="permit tcp any any eq smtp"
proxyacl#6="permit tcp any any eq telnet"
• The only supported attribute in the AAA server user configuration is proxyacl#n. Use the
proxyacl#n attribute when configuring the access lists in the profile. The attribute proxyacl#n is for
both RADIUS and TACACS+ attribute-value (AV) pairs.
• The privilege level must be set to 15 for all users.
• The access lists in the user profile on the AAA server must have permit only access commands.
• Set the source address to any in each of the user profile access list entries. The source address in the
access lists is replaced with the source address of the host making the authentication proxy request
when the user profile is downloaded to the firewall.
• The supported AAA servers are CiscoSecure ACS 2.1.x for Window NT (where x is a number 0 to
12) and CiscoSecure ACS 2.3 for Windows NT, CiscoSecure ACS 2.2.4 for UNIX and CiscoSecure
ACS 2.3 for UNIX, TACACS+ server (vF4.02.alpha), Ascend RADIUS server - radius-980618
(required avpair patch), and Livingston RADIUS server (v1.16).
Command Purpose
Step 1 hq-sanjose(config)# ip http server Enables the HTTP server on the router. The authentication proxy
uses the HTTP server to communicate with the client for user
authentication.
Command Purpose
Step 2 hq-sanjose(config)# ip http Sets the HTTP server authentication method to AAA.
authentication aaa
Step 3 hq-sanjose(config)# ip http access-class Specifies the access list for the HTTP server.
access-list-number
Command Purpose
Step 1 hq-sanjose(config)# ip auth-proxy Sets the global authentication proxy idle timeout value in minutes.
auth-cache-time min If the timeout expires, user authentication entries are removed,
along with any associated dynamic access lists. The default value
is 60 minutes.
Step 2 hq-sanjose(config)# ip auth-proxy (Optional) Displays the name of the firewall router on the
auth-proxy-banner authentication proxy login page. The banner is disabled by
default.
Step 3 hq-sanjose(config)# ip auth-proxy name Creates authentication proxy rules. The rules define how you
auth-proxy-name http [auth-cache-time apply authentication proxy. This command associates connection
min] [list std-access-list]
initiating HTTP protocol traffic with an authentication proxy
name. You can associate the named rule with an access control list,
providing control over which hosts use the authentication proxy
feature. If no standard access list is defined, the named
authentication proxy rule intercepts HTTP traffic from all hosts
whose connection initiating packets are received at the configured
interface.
(Optional) The auth-cache-time option overrides the global
authentication proxy cache timer. This option provides more
control over timeout values for a specific authentication proxy
rule. If no value is specified, the proxy rule assumes the value set
with the ip auth-proxy auth-cache-time command.
(Optional) The list option allows you to apply a standard access list
to a named authentication proxy rule. HTTP connections initiated
from hosts in the access list are intercepted by the authentication
proxy.
Step 4 hq-sanjose(config)# interface type Enters interface configuration mode by specifying the interface
type on which to apply the authentication proxy.
Step 5 hq-sanjose(config-if)# ip auth-proxy In interface configuration mode, applies the named authentication
auth-proxy-name proxy rule at the interface. This command enables the
authentication proxy rule with that name.
To verify that the authentication proxy is successfully configured on the router, ask a user to initiate an
HTTP connection through the router. The user must have authentication and authorization configured at
the AAA server. If the user authentication is successful, the firewall completes the HTTP connection for
the user. If the authentication is unsuccessful, check the access list and the AAA server configurations.
Display the user authentication entries using the show ip auth-proxy cache command in privileged EXEC
mode. The authentication proxy cache lists the host IP address, the source port number, the timeout value for
the authentication proxy, and the state of the connection. If the authentication proxy state is HTTP_ESTAB,
the user authentication was successful.
router# show ip auth-proxy cache
Authentication Proxy Cache
Client IP 192.168.25.215 Port 57882, timeout 1, state HTTP_ESTAB
Wait for one minute, which is the timeout value for this named rule, and ask the user to try the connection
again. After one minute, the user connection is denied because the authentication proxy has removed the user
authentication entry and any associated dynamic ACLs. The user is presented with a new authentication login
page and must log in again to gain access through the firewall.
PPTP/MPPE Configuration
hq-sanjose# show running-config
Current configuration
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mp12
!
no logging console guaranteed
enable password lab
!
username tester41 password 0 lab41
!
ip subnet-zero
no ip domain-lookup
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local name cisco_pns
!
memory check-interval 1
!
controller ISA 5/0
encryption mppe
!
process-max-time 200
!
interface FastEthernet0/0
ip address 10.1.3.3 255.255.255.0
no ip directed-broadcast
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.6.4 255.255.255.0
no ip directed-broadcast
duplex auto
speed auto
!
interface Serial1/0
no ip address
no ip directed-broadcast
shutdown
framing c-bit
cablelength 10
dsu bandwidth 44210
!
interface Serial1/1
no ip address
no ip directed-broadcast
shutdown
framing c-bit
cablelength 10
dsu bandwidth 44210
!
interface FastEthernet4/0
no ip address
no ip directed-broadcast
shutdown
duplex half
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no ip directed-broadcast
ip mroute-cache
no keepalive
ppp encrypt mppe 40
ppp authentication ms-chap
!
ip classless
ip route 172.29.1.129 255.255.255.255 1.1.1.1
ip route 172.29.63.9 255.255.255.255 1.1.1.1
no ip http server
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
login
!
aaa new-model
aaa authentication login default tacacs+ radius
!Set up the aaa new model to use the authentication proxy.
aaa authorization auth-proxy default tacacs+ radius
!Define the AAA servers used by the router
tacacs-server host 172.31.54.143
tacacs-server key cisco
radius-server host 172.31.54.143
radius-server key cisco
!
! Enable the HTTP server on the router:
ip http server
! Set the HTTP server authentication method to AAA:
ip http authentication aaa
!Define standard access list 61 to deny any host.
access-list 61 deny any
! Use ACL 61 to deny connections from any host to the HTTP server.
ip http access-class 61
!
!set the global authentication proxy timeout value.
ip auth-proxy auth-cache-time 60
!Apply a name to the authentication proxy configuration rule.
ip auth-proxy name HQ_users http
!
! Apply the authentication proxy rule at an interface.
interface e0
ip address 10.1.1.210 255.255.255.0
ip auth-proxy HQ_users
!
end
L2TP/IPSec Configuration
hq-sanjose# show running-config
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LNS
!
enable password ww
!
username LNS password 0 tunnelpass
username test@cisco.com password 0 cisco
ip subnet-zero
!
vpdn enable
!
vpdn-group 1
This chapter discusses select Cisco VPN network management software. Each section discusses the
particular environments in which the network management tool is applicable.
This chapter includes the following sections:
• Cisco Secure Policy Manager, page 5-1
• Cisco VPN/Security Management Solution, page 5-2
• IPSec MIB and Third Party Monitoring Applications, page 5-3
• Cisco VPN Device Manager, page 5-3
Note The term ‘Cisco 7200 series router’ in this Guide implies that an Integrated Service Adaptor (ISA) or a
VAM (VAM, VAM2, or VAM2+) is installed in the Cisco 7200 series router.
The following modules are included in the Cisco VPN/Security Management Solution. Together, these
modules provide essential VPN and security management capabilities:
• Cisco Secure Policy Manager Lite (CSPM-Lite)— Provides policies for defining VPN policies on
Cisco 7200 series routers and PIX Firewalls. CSPM also defines security policies on Cisco PIX
Firewalls, and reporting and notifying of intrusions when Cisco Intrusion Detection Sensors
technology is deployed.
• Cisco VPN Monitor is a web-based management tool that allows network administrators to collect,
store, and report information on L2TP, PPTP remote access, and IPSec-based site-to-site VPNs
configured on the Cisco 7200 series routers, Cisco 3600 series routers, Cisco 2600 series routers,
Cisco 1700 series routers, Cisco 800 series routers, and Cisco VPN 3000 Concentrator Series.
Multiple devices can be viewed from an easy-to-use dashboard configured on a web browser. After
the dashboard is configured, Cisco VPN Monitor continuously collects data from the devices it
manages over a rolling seven-day window. Operational status, performance, and security
information can be viewed at a glance, providing status information on IPsec VPN implementations.
Note The Cisco VPN Monitor does not support PIX Firewalls. For information on monitoring PIX Firewalls,
see the PIX Firewall System Management documentation.
Note The traps are not supported in the current version of the MIB. They only pertain to the Cisco IOS-specific
IPSec MIB.
The IPSec MIB feature is used in conjunction with an SNMP agent, which is based on Version 1 of the
SNMP protocol. The SNMP agent implements the IPSec MIB subsystem, which implements the MIBs
referred to in the "Supported Standards, MIBs, and RFCs" section of this feature module. By allowing
the user to adjust tunnel tables and enable IPSec trap notifications, the IPSec MIB feature provides
enhancements to the SNMP agent process.
See IPSec—SNMP Support for more information on IPSec MIB.
VDM Overview
VDM enables network administrators to manage and configure site-to-site VPNs on a single IOS VPN
device from a web browser, and view the effects of their changes in real time. VDM implements a
wizard-based GUI to simplify the process of configuring site-to-site VPNs using the IPSec protocol.
VDM software is installed directly on Cisco VPN devices. It is designed for use and compatibility with
other device manager products.
Note VDM supports site-to-site VPNs but not remote-client access VPNs.
Figure 5-1 shows the VDM Home Page page under the System menu. This is the first window to appear
after you launch VDM and is the starting point for all other VDM activities.
The following other options are also available from the System menu:
• IOS Config—displays device Cisco IOS configuration information
• Log—displays messages about VDM activity
Number Description
1 Application menu bar
2 Application-specific primary menu bar
3 Application-specific secondary menu bar
4 Application status bar
between 3 and 4 Application content area
Using a browser, you can log into a Cisco device and use VDM to efficiently configure VPNs on it. You
can set particular tunneling, encryption, and other VPN options, which can then be applied to the
interfaces facing peer devices. Use VDM to conveniently troubleshoot specific problems and perform
configuration updates and changes.
Benefits
This section contains information about the following benefits of using VDM:
• Configuration Wizards
• Single Device Configuration
• Monitoring Functions
• Convenient Navigation
• No Client Installation
Configuration Wizards
Browser-based VDM wizards help you perform ordinarily complex setup operations including:
• Step-by-step instructional panes for simplified VPN configuration, such as peer-to-peer setup.
• Tunneling and encryption support using transform sets, key lifetimes, IKE policies, security
association (SA) lifetime, authentication policies, error reports, and performance monitoring.
VDM configures only the device from which it is launched. It does not read or write configuration
information to or from other devices.
Monitoring Functions
Monitored data in graphs and charts contains basic device information, a VPN report card, top-ten lists,
and detailed views of user-specified tunnels that monitor duration, errors, and throughput.
Convenient Navigation
The following navigation methods ensure that you can conveniently identify your current location within
each wizard:
• Cascading highlighted menu tabs at the top of the GUI.
• A step-by-step tasks list in each wizard’s left frame contains a highlighted bar which moves down
the list as you progress through that wizard.
No Client Installation
Figure 5-2 shows the type of VPN that VDM can configure:
Peers
LAN Internet
48451
* Device Health Monitoring
Note VDM does not work with RSA-encrypted nonces. (Nonces are random numbers or keys that are
generated once and not reused.)
Wizard Description
Certificates Starts the Certificates wizard, which allows you to enroll the device with a
certificate authority and use digital certificates for authenticating peers.
Connections Starts the Connections wizard, which creates VPN protected connections for
selected traffic between selected local and remote hosts and subnets.
IKE Starts the IKE wizard, which allows you to create IKE policies that determine how
IKE establishes SAs with peers.
Peer Keys Starts the Peer Keys wizard, which assigns and edits pre-shared keys, used to
authenticate peers.
Transforms Starts the Transforms wizard, which creates transform sets to authenticate,
encrypt, and compress VPN traffic.
VLANs Starts the VLANs wizard, which allows you to create access and interface VLANs
on the device.
Figure 5-3 shows the Connections page for the VDM Connections wizard. This wizard allows you to
add, edit, or remove VPN connections. The Select a Connection list displays existing connections.
The Connection Description list provides the following details about the selected connection:
• IP addresses of peers
• Local and remote hosts and subnets
• Protocols
• Transforms
• The interface VLAN that acts as the inside interface to a IPSec VPN Acceleration Serviced Module
(only on devices that contain this module)
• Interface(s) to which the connection is applied
Figure 5-4 shows the Certificates page for the VDM Certificates wizard. This wizard allows you to
enroll a certificate identity with the Certificate Authority (CA) by using the Certificate Enrollment
wizard, as well as add, edit, and remove existing certificate identities.
The Select a Certificate Identity list displays existing certificate identities. The Certificate Identity
Description list provides the following details about the selected certificate identity, such as:
• Enrolled URL
• Proxy host and port
• Retry specifics
Figure 5-5 shows the IKE Overview page for the VDM IKE wizard. This wizard allows you to add, edit,
or remove IKE policies.
The Select a Policy list displays existing user-configured policies, as well as one global and one default
IKE policy. The Policy Description list provides the following details about the policy selected:
• Encryption and hash algorithms
• Authentication method
• SA specifics
Figure 5-6 shows the VDM Charts page with the CPU Utilization chart selected. You can generate many
charts from this page based on your charting object and charting object attribute selections.
The left list displays all objects with attributes that can be charted, such as CPU, IKE, IPSec, and a
variety of interfaces. The right list displays all object attributes associated with a selected object.
You must first select an object attribute to generate a chart. For example, under the IPSec object, you
have a choice of the following three different object attributes:
• Tunnels
• Total throughput
• Total crypto throughput
Available object attributes vary according to the selected object. For example, chartable object attributes
for the Interface object include the following:
• In and out packets
• Dropped packets
• Octets
• Errors
You can customize charts to display both historical and real-time data from periods as short as 10
minutes to as much as 5 days.
Figure 5-7 shows the VDM Report Card page, which displays information about the following activity
on the device:
• Total throughput
• Crypto throughput and failures
• IKE and IPSec Tunnels
• Replayed Packets
Figure 5-8 shows the VDM Top-Ten Lists page, which displays details about IKE and IPSec tunnels by
duration, errors, and traffic volume. You can select any of these reports from the drop-down list.
A top-ten list is a list of 10 tunnels on the device that rank highest when measured by particular criteria.
For example, you can view a list of the 10 IKE tunnels on the device that have the highest traffic volume.
Each top-ten list displays information about the following:
• Monitored tunnels
• Tunnel source devices
• Peers
• Transmitted packets and bytes
• SA details
Related Documents
Further information on VDM can be found in the following related documents:
• VPN Device Manager Cisco IOS feature document
• Installation and Release Notes for VPN Device Manager
• VPN Device Manager Online Help
For additional information, see the Cisco VPN Device Manager (VDM).
accounting
Symbols
See AAA 4-8
? command 1-2 ACLs
CBWFQ and 3 - 33
address keywords, using (note) 3 - 18
A
AHs
AAA description 3 - 23
configuring 4-8 ESP and (note) 3 - 23
servers supported 4-9 IP numbers 3 - 22
aaa authentication login default command 4-8 arrow keys, on ANSI-compatible terminals (note) 1-3
aaa authorization auth-proxy default command 4-8 attaching
aaa new-model command 4-8 policy maps 3 - 31
abbreviating commands, context-sensitive help 1-2 service policies 3 - 35
accept dialin command 4 - 5, 4 - 7 authentication
access control See AAA
planning 2 - 15 authentication command 3 - 16
undefined packets and 3 - 38 authentication headers
access control lists See AHs
See ACLs authentication proxies
access-list (encryption) command 3 - 22 configuring 4 - 8 to 4 - 10
access-list command 3 - 37 description 4-8
access-list permit host eq host command 4-9 verifying 4 - 11
access-list permit ip host command 3 - 22 authorization
See AAA
IP access lists
See also crypto access lists
B
access lists
applying to interfaces 3 - 38 backbone routers, QoS functions 3 - 28
considerations 2 - 14 bandwidth command 3 - 31, 3 - 35
protecting from spoofing 2 - 15 broadcasts
violating 2 - 14 disabling directed 2 - 15
WFQ and 3 - 32 business scenarios
See also extended access lists figure 2-2
encryption considerations 2 - 14
UDP port 3 - 22
H
IKE keepalives 2 - 11, 3 - 15
hash command 3 - 16 IKE keys
headquarters network scenarios See pre-shared keys
See also extranet VPN scenarios IKE policies
See also remote access VPN scenarios configuration requirements 3 - 16
See also site-to-site VPN scenarios configuring 3 - 16 to 3 - 17
hello packets defaults, viewing 3-9
See IKE Keepalives default values (note) 3 - 15
help enabling by default 3 - 15
CLI 1-2 identifying 3 - 16
finding command options 1-3 RSA signatures method requirements 3 - 16
help command 1-2 troubleshooting 3 - 20
hostname keywords, using (note) 3 - 18, 3 - 21 viewing configuration 3 - 19
Hot Standby Routing Protocol viewing default configuration 3-9
See HSRP inside global address 3 - 11
HSRP inside local address 3 - 11
description 2 - 11 inside network 3 - 10
http integrated versus overlay design 2-4
//www.cisco.com/en/US/products/hw/routers/ps341/pro interface command 4 - 10
d_installation_guides_list.html xi
interface configuration mode, summary 1-6
//www.cisco.com/en/US/products/hw/routers/ps341/tsd
interface fastethernet command 3 - 13
_products_support_series_home.html x
interfaces
HTTP servers
applying crypto maps 3 - 27
configuring 4-9
applying IP access lists 3 - 38
hybrid network environments
verifying crypto map associations 3 - 28
network design considerations 2-4
interface serial command 3 - 32
interface tunnel command 3-8
I interface virtual-template number command 4-5
Internet Key Exchange
ICMP filtering
See IKE
fragmentation and 2 - 13
Internet Security Association & Key Management Protocol
ICMP Host Unreachable messages 3 - 38
identities
IKE See ISAKMP identities
description 3 - 14
intrusion detection 3 - 36
performance considerations 2 - 13
IOS Commands 5-5
policies ip access-group command 3 - 38
verifying 3 - 19
ip access-list extended command 3 - 22
SAs and 3 - 24
IP access lists
Remote Access Dial-In User Service show crypto ipsec transform-set command 3 - 24
RSA signatures, configuration requirements for IKE 3- show ip nat translations verbose command 3 - 13
16 show policy-map command 3 - 31
show policy policy-map command 3 - 36
show running-config command 4 - 11, 4 - 13
S
show version command 3 - 20
SAFE show vpdn session command 4-6
See Cisco SAFE Blueprint 2-3 show vpdn tunnel command 4 - 6, 4 - 7
SAs site-to-site VPN scenario
IKE established configuring 3-8
creating crypto map entries 3 - 24 description 2-2
saving, configuration changes 1-8 figure 3-3
V W